Installation and Tested Environments
Video Walk Through of Installing: https://youtu.be/RVUmSsS-81M
In a single-instance deployment
- If you have internet access from your Splunk server, download and install the app by clicking “‘Browse More Apps”’ from the Manage Apps page in Splunk platform.
- If your Splunk server is not connected to the internet, download the app from Splunkbase and install it using the Manage Apps page in Splunk platform. Note: If you download the app as a tgz file, Google Chrome could automatically decompress it as a tar file. If that happens to you, use a different browser to download the app file.
In a distributed deployment
Install the app only on a search head. This app is safe to install in large size clusters, as it will not have an impact on indexers (unless you choose to enable many searches). The app includes many lookups with demo data that shouldn’t be replicated to the indexers, but also includes a distsearch.conf file to prevent that replication, so that you needn’t worry.
In a Search Head Cluster deployment
SSE installs into a SHC like any other SHC app, the only area where there is some minimal risk in a SHC setup is when using the Lookup Cache acceleration technique under the First Time Seen detection with very large lookups (See First Time Seen Detection -> Considerations for implementing the large scale version in this doc). This wouldn’t be used by default, and even when used would be safe for virtually all scenarios as Search Head Clustering has a robust replication mechanism that works well for larger files. The docs below detail that most SSE lookups using this technique would be a few MB in size, and it’s difficult to conceive of a lookup more than 1 GB. I have hunted and the only issue with SHC replication I’ve found was with a 54 GB KV Store, so you should feel very comfortable using SSE including this technique.
Unless you save or enable searches included with the app, there is no increase in indexed data, searches or others. Because the app includes demo data, the app takes about 250MB of storage on the search head.
This app does not interfere or impact ES, and can be installed on an ES Search Head (or Search Head Cluster) safely.
In addition to the above described scenarios, this app is periodically tested with the following client platforms: * OSX 10.12 (Sierra) - Chrome (Primary) * OSX 10.12 (Sierra) - Safari * OSX 10.12 (Sierra) - Firefox * Windows 10 - Chrome * Windows 10 - Safari * Windows 10 - Firefox
If you save and enable searches included with the app in your environment, you could see changes in the performance of your Splunk deployment.
As is true for all searches in Splunk, the amount of data that you search affects the search performance you see in your deployment. For example, if you search Windows logs for two desktops, even the most intensive searches in this app add no discernible load to your indexers. If you instead search domain controller logs with hundreds of thousands of users included, you would see additional load.
The searches included with the app are generally scheduled to run once a day, and leverage acceleration and efficient search techniques wherever possible. In addition, the searches have been vetted by performance experts at Splunk to ensure they are as performant as possible. If you are concerned about resource constraints, schedule any searches you save to run during off-peak times.
You can also configure these searches to run against cached or summary index data (see “Large Scale” headers below). If you have a large scale deployment, use the lookup cache for first time seen searches and select the “High Scale / High Cardinality” option for time series analysis searches. See the details for large scale versions of these searches below.