Installing Splunk Enterprise Security Essentials
Note: This topic focuses on the on-premises installation process of Splunk Enterprise Security Essentials. If you are in a Splunk cloud environment, Splunk products version compatibility matrix manages the installation process. If you are in an on-premises environment, you must be an experienced user capable of installing, configuring, and administering Splunk software to follow the installation process. If you need training on the Splunk platform and Splunk Enterprise Security, see Education Courses for Enterprise Security Customers.
- Review the following compatibility and regional availability matrices:
- Splunk Enterprise Security with Splunk Enterprise. For more information, see Splunk products version compatibility matrix.
- Splunk Threat Intelligence Management. For more information, see Threat Intelligence Management (Cloud) compatibility and regional availability.
- Splunk AI Assistant for Security. For more information, see Splunk AI Assistant for Security compatibility and regional availability.
- Follow these requirements to install Splunk Enterprise Security:
- Download the Splunk Enterprise Security Essentials app version 8.3 or higher from Splunkbase. For more information, see Download Splunk Enterprise Security.
- Ensure that you have installed Splunk Platform version 10 or higher. For more information on platform considerations to install Splunk Enterprise Security, see Splunk Enterprise platform considerations.
- Plan the mapping of data sources to comply with Splunk Common Information Model (CIM), collect asset and identity information, optimize the volume, type, the number of data sources based on your overall Splunk platform architecture, and plan the number and placement of forwarders, estimated load, and impact on network resources. For more information on data source planning, see Data source planning for Splunk Enterprise Security.
- Review the minimum software and hardware requirements for a single instance deployment of Splunk Enterprise Security. For more information, see Minimum specifications for a production deployment However, if you want to scale your deployment, review the hardware, indexer, log size, and search head considerations, For more information, see Considerations for scaling deployments.
- Review additional deployment requirements to install Splunk Enterprise Security in a single instance and distributed search environment. For more information, see Deploy Splunk Enterprise Security in a single instance and distributed search environment.
- If a deployment server manages any of the apps or add-ons included with Splunk Enterprise Security, remove the
deploymentclient.conffile that contains references to the deployment server and restart Splunk services. If you do not do this, the installation won't be completed. - Your user account must have the admin role and the
edit_local_appscapability. The admin role is assigned that capability by default. - Approximately 3 GB of free space is required in the
/tmp/directory for the installation or upgrade to complete. When installing or upgrading an app through either the CLI or Splunk Web UI, the/tmp/directory is used during the process. - Optimize the performance of Splunk Enterprise Security prior to deploying the app by reviewing some guidelines and constraints. For more information, see Performance reference for Splunk Enterprise Security.
Note: Contact Splunk Support if you want to upgrade to Splunk Enterprise Security Premier from Splunk Enterprise Security Essentials.
If you have Splunk Enterprise Security installed, you can upgrade to a higher version. To upgrade to Splunk Enterprise Security version 8.3 or higher, see the product documentation:
Install Splunk Enterprise Security
- Create a backup copy of the pre-upgrade version of Splunk Enterprise Security on your system as a precaution. For more information, see Upgrading Enterprise Security in a search head cluster environment.
- Install Splunk Enterprise Security on a single search head or a search head cluster environment. For more information, see Install Splunk Enterprise Security and see Installing Enterprise Security in a search head cluster environment.
- Download and deploy technology add-ons on the forwarders bInstalling Enterprise Security in a search head cluster environment ased on your configuration. For more information, see Deploy technology add-ons to Splunk Enterprise Security.
- Install and configure the Splunk App for Stream on the Splunk Enterprise Security search head to capture and analyze network traffic data. For more information, see Integrate Splunk Stream with Splunk Enterprise Security.
- Configure and deploy custom indexes for event storage. For more information, see Configure and deploy indexes for Splunk Enterprise Security.
- Assign users, roles, and capabilities for Splunk Enterprise Security. For more information, see Users and roles for Splunk Enterprise Security and Capability reference for Splunk Enterprise Security.You can also manage custom roles and capabilities in Splunk Enterprise Security. For more information, see Add custom roles and manage capabilities in Splunk Enterprise Security.
- Configure data models to populate dashboards and views and provide detection results. For more information, see Configure data models for Splunk Enterprise Security.
Configure Threat Intelligence Management
- Determine if Threat Intelligence Management (Cloud) complies with your organizational standards. For more information, see Determining if Threat Intelligence Management (Cloud) complies with your organization’s standards.
- Get started with Threat Intelligence Management by configuring data source integrations and threat lists. For more information, see Overview of threat intelligence in Splunk Enterprise Security
Configure Splunk AI Assistant for Security
- Choose whether you want to opt out of data sharing for the AI Assistant. See Opt out of data sharing for the AI Assistant in Splunk Enterprise Security
- Select between Frontier or Splunk-hosted models for the AI Assistant to use based on your organization's compliance requirements. For more information, see Choose which models the AI Assistant uses in Splunk Enterprise Security.