Splunk Enterprise Security

Enterprise Security, Staging Servers and Splunk v6.4

ChrisChalmers01
Explorer

Currently looking to upgrade from Splunk 6.3.1 to Splunk 6.4. We run a multi-sited Clustered environment with Enterprise Security 4.0.

Before upgrading I'd like to know if we are still required to stage our apps on a staging server before they are deployed to our Search head Cluster?

Information listed in "Installing a Technology Add-ons" under the heading "Distributing add-ons in a search head cluster with Splunk Enterprise 6.4" suggest we may not have to do this anymore.

Is anyone able to verify or have I misinterpreted this?

Thanks in Advance

0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

If you are using a SHC, you will still need to stage the apps, and then deploy them using the deployer to the the search head cluster.

ES adds a bit more difficulty into this, as there are some components in ES that are not able to be configured via the SHC, and these need to be configured via the DEV/Staging instance. Things such as modular inputs and threatlists still need to be configured outside of the SHC.

View solution in original post

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

If you are using a SHC, you will still need to stage the apps, and then deploy them using the deployer to the the search head cluster.

ES adds a bit more difficulty into this, as there are some components in ES that are not able to be configured via the SHC, and these need to be configured via the DEV/Staging instance. Things such as modular inputs and threatlists still need to be configured outside of the SHC.

0 Karma

shandman
Path Finder

I thought the threatlists are pulled down by the individual Search Heads within the cluster? (from the internet)

0 Karma

ChrisChalmers01
Explorer

Hi esix, thanks for your reply. Using the Deployer to push the apps to the SHC is fine. I was more hoping from the link attatched we no longer had to use a staging server before pushing the apps from the Deployer.

Using a staging server in such a large environment becomes tedious. Would you be able to confirm the following?

  1.   Is Staging Server required for every-time installation/update of Addons? (i.e. if we need to enable a new data collection of  TA_Unix, does it have to be published in Staging Server and then pushed to deployer?)
    
  2.   Is there a way to determine which “configuration item” require Staging Server as mandatory? (or every single update needs to follow Staging Server -> deployer model)
    
0 Karma

ChrisChalmers01
Explorer

Sorry - I don't have enough Karma to post links in my questions. This may work - vhttp://docs.splunk.com/Documentation/ES/4.1.1/Install/InstallTechnologyAdd-ons

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...