In nearly all cases, run Splunk Enterprise deployments inside of a trusted network, in accordance with the security policy of your organization.

• If you must expose your Splunk Enterprise deployment to the internet, consider deploying multiple redundant instances behind a web application firewall or load balancer
• Limit external access through a VPN
• Institute protections against distributed denial-of-service (DDoS) attacks and use services like rate limiting to reduce the number of requests that reach the deployment

If Splunk Enterprise runs inside a trusted network, and you have provided network infrastructure to shield the deployment from potentially malicious outside actors, you can ensure the instance runs stably and as you expect by providing the environment with the computing infrastructure it needs to perform the workload that your organization requires. This includes, but is not limited to the following:

• Configuring concurrent ad-hoc and real-time search limits. You can perform this limitation by role. See Specify search restrictions for a role.
• Configuring workload management (WLM). See Enable workload management.
• Configuring memory usage limits for Splunk Enterprise. See Limit search process memory usage and the limits.conf configuration specification.

The Capacity Planning Manual has information on how Splunk Enterprise works with various reference computing hardware architectures and provides information on best practice for scaling the environment based on your specific workload needs.

• See Reference hardware for information on the baseline hardware that is available for scoping and scaling Splunk Enterprise deployments.
• See Summary of performance recommendations for information on scaling that hardware to meet specific workloads.