Installation Documentation

Installation and Tested Environments

Video Walk Through of Installing: https://youtu.be/RVUmSsS-81M

In a single-instance deployment

In a distributed deployment

Install the app only on a search head. This app is safe to install in large size clusters, as it will not have an impact on indexers (unless you choose to enable many searches). The app includes many lookups with demo data that shouldn’t be replicated to the indexers, but also includes a distsearch.conf file to prevent that replication, so that you needn’t worry.

In a Search Head Cluster deployment

SSE installs into a SHC like any other SHC app, the only area where there is some minimal risk in a SHC setup is when using the Lookup Cache acceleration technique under the First Time Seen detection with very large lookups (See First Time Seen Detection -> Considerations for implementing the large scale version in this doc). This wouldn’t be used by default, and even when used would be safe for virtually all scenarios as Search Head Clustering has a robust replication mechanism that works well for larger files. The docs below detail that most SSE lookups using this technique would be a few MB in size, and it’s difficult to conceive of a lookup more than 1 GB. I have hunted and the only issue with SHC replication I’ve found was with a 54 GB KV Store, so you should feel very comfortable using SSE including this technique.

After installation

Unless you save or enable searches included with the app, there is no increase in indexed data, searches or others. Because the app includes demo data, the app takes about 250MB of storage on the search head.

Alongside ES

This app does not interfere or impact ES, and can be installed on an ES Search Head (or Search Head Cluster) safely.

Tested Platforms

In addition to the above described scenarios, this app is periodically tested with the following client platforms: * OSX 10.12 (Sierra) - Chrome (Primary) * OSX 10.12 (Sierra) - Safari * OSX 10.12 (Sierra) - Firefox * Windows 10 - Chrome * Windows 10 - Safari * Windows 10 - Firefox

Performance Impact

If you save and enable searches included with the app in your environment, you could see changes in the performance of your Splunk deployment.

As is true for all searches in Splunk, the amount of data that you search affects the search performance you see in your deployment. For example, if you search Windows logs for two desktops, even the most intensive searches in this app add no discernible load to your indexers. If you instead search domain controller logs with hundreds of thousands of users included, you would see additional load.

The searches included with the app are generally scheduled to run once a day, and leverage acceleration and efficient search techniques wherever possible. In addition, the searches have been vetted by performance experts at Splunk to ensure they are as performant as possible. If you are concerned about resource constraints, schedule any searches you save to run during off-peak times.

You can also configure these searches to run against cached or summary index data (see “Large Scale” headers below). If you have a large scale deployment, use the lookup cache for first time seen searches and select the “High Scale / High Cardinality” option for time series analysis searches. See the details for large scale versions of these searches below.