Splunk Enterprise Security

Should Splunk Enterprise Security be the only thing installed on a Search Head?

DavisLee
New Member

I've been told that "Best Practices" (one of my least favorite terms) is to leave Splunk Enterprise Security (ES) on its own Search Head (SH) and put all your other apps and custom searches on a different SH. True? Comments?

0 Karma
1 Solution

woodcock
Esteemed Legend

Definitely true. ES is a beast and runs a ton of Data Model Accelerations and searches. I would not ever run anything on an ES Search Head but ES stuff. Ever.

View solution in original post

DavisLee
New Member

Yes, my apologies, I was rushing to a meeting and did not include enough information. This is a production environment and a distributed environment ingesting a few hundred gig per day of diverse data.

Thanks,
Davis

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Dedicated search head then, yes, definitely.

0 Karma

woodcock
Esteemed Legend

Definitely true. ES is a beast and runs a ton of Data Model Accelerations and searches. I would not ever run anything on an ES Search Head but ES stuff. Ever.

View solution in original post

ChrisG
Splunk Employee
Splunk Employee

You can install Enterprise Security on a single instance (search head and indexer on the same machine), which is useful for proof-of-concept work. In production, you should run ES in a distributed deployment, in which case you should have a dedicated search head. See Deployment planning in the Splunk Enterprise Security Installation and Upgrade Manual.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!