Splunk Enterprise Security
Highlighted

Should Splunk Enterprise Security be the only thing installed on a Search Head?

New Member

I've been told that "Best Practices" (one of my least favorite terms) is to leave Splunk Enterprise Security (ES) on its own Search Head (SH) and put all your other apps and custom searches on a different SH. True? Comments?

0 Karma
Highlighted

Re: Should Splunk Enterprise Security be the only thing installed on a Search Head?

Splunk Employee
Splunk Employee

You can install Enterprise Security on a single instance (search head and indexer on the same machine), which is useful for proof-of-concept work. In production, you should run ES in a distributed deployment, in which case you should have a dedicated search head. See Deployment planning in the Splunk Enterprise Security Installation and Upgrade Manual.

0 Karma
Highlighted

Re: Should Splunk Enterprise Security be the only thing installed on a Search Head?

Esteemed Legend

Definitely true. ES is a beast and runs a ton of Data Model Accelerations and searches. I would not ever run anything on an ES Search Head but ES stuff. Ever.

View solution in original post

Highlighted

Re: Should Splunk Enterprise Security be the only thing installed on a Search Head?

New Member

Yes, my apologies, I was rushing to a meeting and did not include enough information. This is a production environment and a distributed environment ingesting a few hundred gig per day of diverse data.

Thanks,
Davis

0 Karma
Highlighted

Re: Should Splunk Enterprise Security be the only thing installed on a Search Head?

Splunk Employee
Splunk Employee

Dedicated search head then, yes, definitely.

0 Karma