Splunk Enterprise Security
Highlighted

How to install the Splunk App for Enterprise security on indexers in my deployment?

Explorer

I'm running 4 indexers, 1 search head and 1 master as my splunk enterprise architecture . I've read the instructions that state you must install the splunk enterprise security app on the search head and indexers. I've installed the app on the search head, but was wondering about the indexers.. Do I need to enable splunk web and install the app on each of the 4 indexers just like the search head? Is the installation different for the indexers?

Last question would be with the master.. should I go ahead and install the app on the master too?

just as an fyi.. I was going to initially drop the app on the master under the deployment apps folder and push them to the indexers..But then they wouldn't be configured the same..

0 Karma
Highlighted

Re: How to install the Splunk App for Enterprise security on indexers in my deployment?

Explorer

To sum my question.. can someone tell me how I should install this app on my 4 indexers?

0 Karma
Highlighted

Re: How to install the Splunk App for Enterprise security on indexers in my deployment?

Splunk Employee
Splunk Employee

Once you install ES app to your Search Head, you should see some folders under /etc/apps/ that are like "SA-" "SplunkTA" and "TA-*" copy the ones you are using to your Indexing and U&H Forwarding tier.

Here is the Link in the ES configuration manual that discusses in more detail.
ES Config Manual Determine which add-ons to deploy