Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add Enterprise Security to on prem clustered environment

SplunkExplorer
Contributor
‎01-18-2024 05:50 AM

Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security.

As usual when I put a question here, let me share a minimal of context and assumption.

Environment:

  • A completely on prem Splunk Enterprise (no Slunk Cloud SaaS).
  • Currently, only one SH
  • Clustered indexers

Task: 

  • Install and configure a SH with Splunk Enterprise Security.

Assumption:

  • I know the full installation procedure (doc + Splunk Enterprise Admin course)
  • I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI:
> splunk edit cluster-config
-mode searchhead
-manager_uri https://<manager node address>
-secret <cluster secret>

 
Questions:

  • This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those".
  • SH with ES component should be  add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES?
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎01-18-2024 06:27 AM

You install ES differently on a standalone SH and on a SHC. So you must either firstly set up a SHC (and for that you don't use an existing SH - you spin up a clear SH and join it to the SHC). Whether you want a SHC depends on your needs and expected workload. You can create a SHC (but again - you must create a new SHC and then possibly migrate some of your settings from existing standalone SH manually) and install ES on it. But just as well you could set up a dedicated SH just for ES use (and use the other SH for "normal" Splunk work). Both approaches have their pros and cons. Single SHC is bigger in minimal option (you need at least three SHs for the SHC and a deployer) but is probably easier to manage than two separate SHs - they can be painful to keep relevant configs in sync.

View solution in original post

Reply
Solved! Jump to solution

SplunkExplorer_
Engager
‎01-19-2024 09:39 AM
@SplunkExplorer wrote:

Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security.

As usual when I put a question here, let me share a minimal of context and assumption.

Environment:

  • A completely on prem Splunk Enterprise (no Slunk Cloud SaaS).
  • Currently, only one SH
  • Clustered indexers

Task: 

  • Install and configure a SH with Splunk Enterprise Security.

Assumption:

  • I know the full installation procedure (doc + Splunk Enterprise Admin course)
  • I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI:

 

> splunk edit cluster-config
-mode searchhead
-manager_uri https://<manager node address>
-secret <cluster secret>

 

 
Questions:

  • This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those".
  • SH with ES component should be  add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES?
@SplunkExplorer wrote:

Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security.

As usual when I put a question here, let me share a minimal of context and assumption.

Environment:

  • A completely on prem Splunk Enterprise (no Slunk Cloud SaaS).
  • Currently, only one SH
  • Clustered indexers

Task: 

  • Install and configure a SH with Splunk Enterprise Security.

Assumption:

  • I know the full installation procedure (doc + Splunk Enterprise Admin course)
  • I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI:

 

> splunk edit cluster-config
-mode searchhead
-manager_uri https://<manager node address>
-secret <cluster secret>

 

 
Questions:

  • This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those".
  • SH with ES component should be  add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES?

Check DM. 

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎01-18-2024 06:27 AM

You install ES differently on a standalone SH and on a SHC. So you must either firstly set up a SHC (and for that you don't use an existing SH - you spin up a clear SH and join it to the SHC). Whether you want a SHC depends on your needs and expected workload. You can create a SHC (but again - you must create a new SHC and then possibly migrate some of your settings from existing standalone SH manually) and install ES on it. But just as well you could set up a dedicated SH just for ES use (and use the other SH for "normal" Splunk work). Both approaches have their pros and cons. Single SHC is bigger in minimal option (you need at least three SHs for the SHC and a deployer) but is probably easier to manage than two separate SHs - they can be painful to keep relevant configs in sync.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-18-2024 06:04 AM

The ES SH should be kept separate and not joined with the existing SH into a cluster because: 1) you need at least 3 SHs to make a cluster; 2) SHs must be virgin to form a cluster; 3) ES doesn't play well with other apps and so needs to be on its own.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

SplunkExplorer
Contributor
‎01-18-2024 06:15 AM

Thanks a lot @richgalloway. Answer to Question 2 is exactly what I supposed. 

Regarding point 1, is the syntax I posted is the one to use to "insert" ES on environment or should I use another one?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-18-2024 07:01 AM

The syntax you gave is the right one for adding a new SH to a cluster, but you don't need it just to install ES on an SH.  Create a new SH and install ES on it using the instructions in the ES manual.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...