The Splunk Cisco-esa TA needs to be installed in you HWF, all indexers and the SH's. If you have a dedicated SH for Splunk Enterprise Security module, the TA needs to be installed there also.
... View more
You just have to add the SPlunk_TA_Cisco-esa add on your HWF [if you are collecting the data in your HWF] & to all your indexer nodes in your cluster and to your Search Head Cluster. If you are having a dedicated SearchHead for your Splunk ES module, you need to add the add-on there also. Only then the events coming from Cisco-ESA appliance will be transformed when you do the search in Splunk ES module
... View more