Install the Splunk Add-on for Cisco ASA¶
This topic provides an overview of installing your add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are using forwarders to get your data in.
Where to install this add-on¶
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific add-on to a distributed deployment of the Splunk platform.
| Splunk platform instance type | Supported | Required | Actions required / Comments |
|---|---|---|---|
| Search Heads | Yes | Yes | Install this add-on to all search heads where Cisco ASA knowledge management is required. |
| Indexers | Yes | Conditional | Not required if you use heavy forwarders to collect data. Required if you use universal or light forwarders to collect data. |
| Heavy Forwarders | Yes | See comments | This add-on supports forwarders of any type for data collection. |
| Universal Forwarders | Yes | See comments |
Distributed deployment feature compatibility¶
This table describes the compatibility of this add-on with Splunk distributed deployment features.
| Distributed deployment feature | Supported | Actions required |
|---|---|---|
| Search Head Clusters | Yes | You can install this add-on on a search head cluster for all search-time functionality, but you must configure inputs on forwarders to avoid duplicate data collection. Before installing this add-on to a cluster, make the following changes to the add-on package: 1. Remove the eventgen.conf files and all files in the samples folder. 2. Remove the inputs.conf file. |
| Indexer Clusters | Yes | Before installing this add-on to a cluster, make the following changes to the add-on package: 1. Remove the eventgen.conf files and all files in the samples folder 2. Remove the inputs.conf file. |
| Deployment Server | Yes | Supported for deploying the configured add-on to multiple nodes. |
| If the add-on contains: | Dashboards or panels | Search objects | Props and transforms | Inputs |
|---|---|---|---|---|
| It must be installed on search heads | Yes | Yes | Yes | No, except special cases |
| It must be installed on indexers | No | No | Yes | No |
| It must be installed on forwarders | No | No | Yes | No |
For more information about how Splunk Enterprise components correlate to phases in the data pipeline, see “Configuration parameters and the data pipeline” in the Splunk Administration Guide.
Summary of limitations¶
| Can install manually on | Can install with a deployment server on | Can install on a Search Head Cluster | ||||
|---|---|---|---|---|---|---|
| Search heads | Indexers | Forwarders | Indexers | Forwarders | ||
| Add-on collects remote data using modular or scripted input | Yes | Yes | Yes | Yes | No | See notes* |
| Add-on uses credential management | Yes | Yes | Yes | Yes | No | See notes* |
* You can install add-ons on a search head cluster for all search-time functionality, but inputs should be configured on a forwarder to avoid duplicate data collection.
** Add-ons that use credential management can be installed on a search head cluster only in one of these circumstances:
- You are using Splunk platform 6.3.X or later.
- You are using Splunk platform 6.2.X, and the credentials are not required on the search heads. If credentials are required only for data collection, set up a forwarder to handle the inputs and configure the credentials on that node. Some add-ons do require the search heads to communicate directly with a third-party system using stored credentials. These add-ons are not supported on search head clusters in 6.2.X.