Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Add Enterprise Security to on prem clustered environment

SplunkExplorer
Contributor
‎01-18-2024 05:50 AM

Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security.

As usual when I put a question here, let me share a minimal of context and assumption.

Environment:

  • A completely on prem Splunk Enterprise (no Slunk Cloud SaaS).
  • Currently, only one SH
  • Clustered indexers

Task: 

  • Install and configure a SH with Splunk Enterprise Security.

Assumption:

  • I know the full installation procedure (doc + Splunk Enterprise Admin course)
  • I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI:
> splunk edit cluster-config
-mode searchhead
-manager_uri https://<manager node address>
-secret <cluster secret>

 
Questions:

  • This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those".
  • SH with ES component should be  add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES?
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎01-18-2024 06:27 AM

You install ES differently on a standalone SH and on a SHC. So you must either firstly set up a SHC (and for that you don't use an existing SH - you spin up a clear SH and join it to the SHC). Whether you want a SHC depends on your needs and expected workload. You can create a SHC (but again - you must create a new SHC and then possibly migrate some of your settings from existing standalone SH manually) and install ES on it. But just as well you could set up a dedicated SH just for ES use (and use the other SH for "normal" Splunk work). Both approaches have their pros and cons. Single SHC is bigger in minimal option (you need at least three SHs for the SHC and a deployer) but is probably easier to manage than two separate SHs - they can be painful to keep relevant configs in sync.

View solution in original post

Reply
Solved! Jump to solution

SplunkExplorer_
Engager
‎01-19-2024 09:39 AM
@SplunkExplorer wrote:

Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security.

As usual when I put a question here, let me share a minimal of context and assumption.

Environment:

  • A completely on prem Splunk Enterprise (no Slunk Cloud SaaS).
  • Currently, only one SH
  • Clustered indexers

Task: 

  • Install and configure a SH with Splunk Enterprise Security.

Assumption:

  • I know the full installation procedure (doc + Splunk Enterprise Admin course)
  • I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI:

 

> splunk edit cluster-config
-mode searchhead
-manager_uri https://<manager node address>
-secret <cluster secret>

 

 
Questions:

  • This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those".
  • SH with ES component should be  add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES?
@SplunkExplorer wrote:

Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security.

As usual when I put a question here, let me share a minimal of context and assumption.

Environment:

  • A completely on prem Splunk Enterprise (no Slunk Cloud SaaS).
  • Currently, only one SH
  • Clustered indexers

Task: 

  • Install and configure a SH with Splunk Enterprise Security.

Assumption:

  • I know the full installation procedure (doc + Splunk Enterprise Admin course)
  • I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI:

 

> splunk edit cluster-config
-mode searchhead
-manager_uri https://<manager node address>
-secret <cluster secret>

 

 
Questions:

  • This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those".
  • SH with ES component should be  add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES?

Check DM. 

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎01-18-2024 06:27 AM

You install ES differently on a standalone SH and on a SHC. So you must either firstly set up a SHC (and for that you don't use an existing SH - you spin up a clear SH and join it to the SHC). Whether you want a SHC depends on your needs and expected workload. You can create a SHC (but again - you must create a new SHC and then possibly migrate some of your settings from existing standalone SH manually) and install ES on it. But just as well you could set up a dedicated SH just for ES use (and use the other SH for "normal" Splunk work). Both approaches have their pros and cons. Single SHC is bigger in minimal option (you need at least three SHs for the SHC and a deployer) but is probably easier to manage than two separate SHs - they can be painful to keep relevant configs in sync.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-18-2024 06:04 AM

The ES SH should be kept separate and not joined with the existing SH into a cluster because: 1) you need at least 3 SHs to make a cluster; 2) SHs must be virgin to form a cluster; 3) ES doesn't play well with other apps and so needs to be on its own.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Wohamed_wakkad
Engager
3 weeks ago

is this best practice or  mandate --> ES doesn't play well with other apps and so needs to be on its own.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

Generally there are strict requirements (no ITSI and ES on the same SH/SHC) and guidelines (don't put unnecessary stuff on ES environment). To be on the safe side you shouln't run anything unnecessary on your ES instance(s). It's hard to say "no other apps" because it highly depends on what apps are we talking about (for example - an addon with a reporting action can be perfectly justified on ES) but if you have too many "strange" things installed, you might get into supportability problems and Splunk support might at some point tell you to clean your environment because any issue you might raise with them might be caused by additional apps, not ES itself.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
3 weeks ago

Mandate

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

SplunkExplorer
Contributor
‎01-18-2024 06:15 AM

Thanks a lot @richgalloway. Answer to Question 2 is exactly what I supposed. 

Regarding point 1, is the syntax I posted is the one to use to "insert" ES on environment or should I use another one?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-18-2024 07:01 AM

The syntax you gave is the right one for adding a new SH to a cluster, but you don't need it just to install ES on an SH.  Create a new SH and install ES on it using the instructions in the ES manual.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...