You'll want to read this document very carefully: http://docs.splunk.com/Documentation/ES/3.3.0/Install/AdvancedImp It details how to implement ES on a Search Head Cluster.
If you haven't installed ES before (usually Professional Services does the install, since there are a lot of moving parts to hook up), you may wan to follow maciep's advice and initially set ES up as a Standalone, and the move the SA's DA's and TA's to the proper parts of your deployment (they all go in different spots) especially since the Deployer and Cluster Master will need to receive the different chunks. This is normally a two to three week Professional Services Engagement, simply because each element must be carefully configured and tested for all the moving parts to work out of the gate. The extended time is also used for custom creation of Add-Ons using the CIM. In addition, the experience of having installed ES multiple times (Sometimes hundreds) helps the PS consultants quickly tackle any sort of wrench thrown into the works.
Configuring ES is a repetitive process. For each data type you will go through this checklist as documented:
1. Normalize the data indexed in Splunk Enterprise to the CIM.
2. Define, then configure Splunk App for Enterprise Security user roles.
3. Collect, process, and import the asset and identities information.
4. Collect, process, and import threat lists, or other sources of security information.
5. Review and enable correlation searches for the security domains that contain data.
6. Customize the Enterprise Security navigation settings.
If you start off in a "test" environment, you'll get some practice with going through the process and may find that mid way through, you're ready to start incorporating it into your production environment.
I've been at Splunk for three years(not in PS) ... and truthfully, I wouldn't want to do it myself... and I will stand on my head and sing arias for my customers, to support the concept of having PS do the install, because I know - that if it were MY ES deployment, I'd have wanted it to be implemented by an expert who has "seen it all".
Just my two cents...
... View more