Install the Splunk Add-on for Cisco WSA¶
Use the tables below to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise. See the installation walkthrough section at the bottom of this page for links to installation instructions specific to a single-instance deployment, distributed deployment, or Splunk Cloud.
Distributed installation of this add-on¶
This table provides a quick reference for installing this add-on to a distributed deployment of Splunk Enterprise.
| Splunk instance type | Supported | Required | Comments |
|---|---|---|---|
| Search Heads | Yes | Yes | Install this add-on to all search heads where Cisco WSA knowledge management is required. |
| Indexers | Yes | Conditional | Not required if you use heavy forwarders to monitor Cisco WSA logs. Required if you use universal forwarders to monitor Cisco WSA logs. |
| Heavy Forwarders | Yes | No | If installed on heavy forwarders, it does not need to be installed on indexers. |
| Universal Forwarders | Yes | No | You must also install this add-on on your indexers if you use a universal forwarder rather than a heavy forwarder to monitor Cisco WSA logs. |
Distributed deployment compatibility¶
This table provides a quick reference for the compatibility of this add-on with Splunk distributed deployment features.
Distributed deployment feature |
Supported |
Comments |
|---|---|---|
Search Head Clusters |
Yes |
You can install this add-on on a search head cluster for all
search-time functionality, but only configure inputs on a forwarder to
avoid duplicate data collection. |
Indexer Clusters |
Yes |
Before installing this add-on to a cluster, make the following
changes to the add-on package: |
Deployment Server |
Yes |
Supported for deploying the configured add-on. |
Installation walkthrough¶
See “Installing add-ons” in Splunk Add-Ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios: