Deployment considerations for Splunk Enterprise Security
You can deploy Splunk Enterprise Security on-premises, or on Splunk Cloud Platform, or in a hybrid environment. You can also deploy Splunk Enterprise Security in a single instance or distributed search deployment. Additionally, you can also install Splunk Enterprise Security in a virtualized environment.
Splunk_TA_ForIndexers add-on for every release.Splunk Enterprise platform considerations
Splunk Enterprise 7.2.0 uses Serialized Result Set (SRS) format by default. The exception is in searches that execute actions, for which we auto-detect whether to use CSV or SRS. This is handled in the alert_actions.conf file, but do not modify the forceCsvResults stanza without a thorough understanding of scripts or processes that access the results files directly. 
A new install_apps capability is introduced in Splunk Enterprise v8. The change impacts the existing Enterprise Security edit_local_apps capability's functionality to install and upgrade apps. In ES, enable_install_apps is false by default. If you set enable_install_apps=True and you don't have the new install_apps and existing edit_local_apps capabilities, you will not be able to install and setup apps. This includes performing ES setup and installing other content packs or Technology Add-ons.
On the standalone search head or search peers and indexers, configure the setting enforce_auto_lookup_order = true in the [lookup] stanza of the limits.conf configuration file so that the lookup names in the props.conf file are looked up in ASCII order by name. 
Deploy Splunk Enterprise Security on the Splunk Cloud Platform
Review the following information to deploy Splunk Enterprise Security on Splunk Cloud Platform:
Splunk Enterprise Security is available as a service on the Splunk Cloud Platform. The Splunk Cloud Platform deployment architecture varies based on data and search load. Splunk Cloud Platform customers work with Splunk Support to set up, manage, and maintain their cloud infrastructure.
Deploy Splunk Enterprise Security in a hybrid environment
Review the following information to deploy Splunk Enterprise Security in a hybrid environment:
A hybrid search configuration with Splunk Enterprise Security is not supported with Splunk Cloud Platform. To set up a hybrid environment, set up an on-premises Splunk Enterprise Security search head to search indexers in another cloud environment. Any hybrid search deployment configuration must account for added latency, bandwidth concerns, and include adequate hardware to support the search load.
Deploy Splunk Enterprise Security in a single instance and distributed search environment
Available deployment architectures to install Splunk Enterprise Security include a single instance deployment or a distributed search deployment.
Before you deploy Splunk Enterprise Security on premises, familiarize yourself with the components of a Splunk platform deployment.
Review the following performance considerations for single search head or a distributed search deployment before installing Enterprise Security:
| Deployment type | Single-instance deployment | Distributed search deployment | 
|---|---|---|
| Preferred | No. Usually used for a lab or test environment, or as a small system with one or two users running concurrent searches. | Yes | 
| Search head requirements | A single platform instance functions as both a search head and indexer. | Install Splunk Enterprise Security on a dedicated search head or search head cluster | 
| Indexer requirements | A single platform instance functions as both a search head and indexer. | To improve search performance, use an indexer cluster to distribute the search workload across multiple nodes. For a distributed search deployment, and for search head clustering, configure the search head to forward all data to the indexers. See Forward search head data to the indexer layer in the Distributed Search manual. | 
| Data flow | Forwarders collect your data and send it to the single instance for parsing, storing, and searching. | Forwarders collect your data and send it to the indexers. | 
| Supported operating system | Splunk Enterprise Security is supported on both Linux and Windows on a standalone search head. | Splunk Enterprise Security only supports Linux search head clusters, not Windows search head clusters. For more information on key requirements, see System requirements and other deployment considerations for indexer clusters. | 
A dedicated search head might be required depending on the capacity of your specific environment and the workload of the apps you're already running and your Enterprise Security workload.
Deploy Splunk Enterprise Security in virtualized environments
If you install Splunk Enterprise Security in a virtualized environment, you need the same memory and CPU allocation as a non-virtualized bare-metal environment.
Consider the following guidelines to deploy Splunk Enterprise Security in a virtualized environment:
- Reserve all CPU and memory resources.
- Do not oversubscribe hardware.
- Test the storage IOPS across all Splunk platform indexer nodes simultaneously to ensure that the IOPS match the reference hardware specification used in your environment. See Reference Hardware in the Capacity Planning Manual.
- Use thick provisioned storage. Thin provisioning storage might impact performance.
- Hyper-threaded cores are not treated as extra cores. If you're running VMs on machines with hyper-threading enabled, you must double the vCPU count. For example, use 32 vCPUs instead of 16 physical cores.
See also
For more information on Splunk Enterprise deployments, see the product documentation:
- limits.conf configuration file in the Splunk Enterprise Administrator Manual.
- Splunk Cloud Platform deployment types in the Splunk Cloud Platform Admin Manual.
- Components of a Splunk Enterprise deployment in the Capacity Planning Manual.
- Introduction to capacity planning for Splunk Enterprise in the Splunk Enterprise Capacity Planning Manual.