Splunk Enterprise

Add Enterprise Security to on prem clustered environment

SplunkExplorer
Contributor

Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security.

As usual when I put a question here, let me share a minimal of context and assumption.

Environment:

  • A completely on prem Splunk Enterprise (no Slunk Cloud SaaS).
  • Currently, only one SH
  • Clustered indexers

Task: 

  • Install and configure a SH with Splunk Enterprise Security.

Assumption:

  • I know the full installation procedure (doc + Splunk Enterprise Admin course)
  • I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI:
> splunk edit cluster-config
-mode searchhead
-manager_uri https://<manager node address>
-secret <cluster secret>

 
Questions:

  • This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those".
  • SH with ES component should be  add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES?
Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

You install ES differently on a standalone SH and on a SHC. So you must either firstly set up a SHC (and for that you don't use an existing SH - you spin up a clear SH and join it to the SHC). Whether you want a SHC depends on your needs and expected workload. You can create a SHC (but again - you must create a new SHC and then possibly migrate some of your settings from existing standalone SH manually) and install ES on it. But just as well you could set up a dedicated SH just for ES use (and use the other SH for "normal" Splunk work). Both approaches have their pros and cons. Single SHC is bigger in minimal option (you need at least three SHs for the SHC and a deployer) but is probably easier to manage than two separate SHs - they can be painful to keep relevant configs in sync.

View solution in original post

SplunkExplorer_
Engager

@SplunkExplorer wrote:

Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security.

As usual when I put a question here, let me share a minimal of context and assumption.

Environment:

  • A completely on prem Splunk Enterprise (no Slunk Cloud SaaS).
  • Currently, only one SH
  • Clustered indexers

Task: 

  • Install and configure a SH with Splunk Enterprise Security.

Assumption:

  • I know the full installation procedure (doc + Splunk Enterprise Admin course)
  • I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI:

 

> splunk edit cluster-config
-mode searchhead
-manager_uri https://<manager node address>
-secret <cluster secret>

 

 
Questions:

  • This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those".
  • SH with ES component should be  add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES?


@SplunkExplorer wrote:

Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security.

As usual when I put a question here, let me share a minimal of context and assumption.

Environment:

  • A completely on prem Splunk Enterprise (no Slunk Cloud SaaS).
  • Currently, only one SH
  • Clustered indexers

Task: 

  • Install and configure a SH with Splunk Enterprise Security.

Assumption:

  • I know the full installation procedure (doc + Splunk Enterprise Admin course)
  • I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI:

 

> splunk edit cluster-config
-mode searchhead
-manager_uri https://<manager node address>
-secret <cluster secret>

 

 
Questions:

  • This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those".
  • SH with ES component should be  add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES?

Check DM. 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You install ES differently on a standalone SH and on a SHC. So you must either firstly set up a SHC (and for that you don't use an existing SH - you spin up a clear SH and join it to the SHC). Whether you want a SHC depends on your needs and expected workload. You can create a SHC (but again - you must create a new SHC and then possibly migrate some of your settings from existing standalone SH manually) and install ES on it. But just as well you could set up a dedicated SH just for ES use (and use the other SH for "normal" Splunk work). Both approaches have their pros and cons. Single SHC is bigger in minimal option (you need at least three SHs for the SHC and a deployer) but is probably easier to manage than two separate SHs - they can be painful to keep relevant configs in sync.

richgalloway
SplunkTrust
SplunkTrust

The ES SH should be kept separate and not joined with the existing SH into a cluster because: 1) you need at least 3 SHs to make a cluster; 2) SHs must be virgin to form a cluster; 3) ES doesn't play well with other apps and so needs to be on its own.

---
If this reply helps you, Karma would be appreciated.

SplunkExplorer
Contributor

Thanks a lot @richgalloway. Answer to Question 2 is exactly what I supposed. 

Regarding point 1, is the syntax I posted is the one to use to "insert" ES on environment or should I use another one?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The syntax you gave is the right one for adding a new SH to a cluster, but you don't need it just to install ES on an SH.  Create a new SH and install ES on it using the instructions in the ES manual.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...