Having issues with Splunk Enterprise Security implementation? There’s a lot of value in Splunk Enterprise Security (ES), but we’ve come across a few common mistakes with ES implementation. While adding the SIEM solution to a Splunk environment, here are some questions that often come up:
- “Where do I install Splunk ES?”
- “Do I need all of these add-ons?”
- “Can I run ES in my search head cluster?”
- “Wait, why do I have so many skipped searches now?”
Let’s walk you through some of the solutions we’ve seen in our experience.
“Where do I install Splunk Enterprise Security?”
While Splunk Enterprise Security can be installed on any Splunk Search Head, it is best practice for the application to have its own dedicated server. This will ensure that ES can perform at its best without impacting any of your other visualization apps or ad-hoc searches.
“Do I need all these add-ons?”
Splunk Enterprise Security comes pre-packaged with a number of add-ons. The add-ons that are required will automatically install with ES. There are some add-ons that aren’t required and come from right from Splunkbase, the center for apps & add-ons for Splunk, like the Splunk Add-on for Windows. It is usually recommended to skip the installation of any Splunkbase add-ons and only let ES install supporting add-ons it requires to function.
Pro tip: Many times, you will already have a number of Splunkbase add-ons from onboarding your data, and you won’t need to reinstall these add-ons.
“Can I run ES in my search head cluster?”
Yes! But we recommend only running version 5.3 or later due to improvements in managing ES in a Search Head Cluster. Earlier versions can be sufficient, but will require a staging server for making configuration changes to ES.
“Wait, why do I have so many skipped searches now?”
That’s good news! This means that ES is starting to work. ES comes pre-packaged with a number of correlation searches you can enable. Did you know that there are also dozens of supporting scheduled searches? These could include lookup generating searches, datamodel acceleration, summary generating searches, and many others.
Out of the box, ES adds a significant search load to any Splunk server. Often times, the number of concurrent scheduled searches trying to run is simply more than the server can accommodate. Don’t go buying more hardware just yet! There are a number of tuning steps we can take early on to ensure ES is using the existing resources allocated to it.
Check out these areas when tuning:
- Tuning artificial search limits for scheduled searches
- Tuning datamodels
- Adjusting scheduled searches to make the most use out of every minute in an hour
That’s a lot!
Yes it is! But, we can help! With over 500 Splunk engagements globally, Kinney Group’s consultants have the knowledge and experience to make sure your start with Splunk Enterprise Security is solid, smooth, and productive. With Jumpstart Service for Splunk, you can bypass road bumps and start identifying threats. If you’re looking to learn more, fill out the form below!