Hardware and software requirements for the Splunk Add-in for CrowdStrike FDR

The modular input for Splunk Add-on for CrowdStrike FDR must be installed on a heavy forwarder, Inputs Data Manager (IDM), or search head. This lets you collect data and push it to a Splunk index.

For Splunk Enterprise Victoria, modular inputs are installed and running at the search heads. These modular inputs by default are configured with run_only_one = false, which tells the Victoria stack to run each created input at every search head host of the cluster

Splunk platform requirements

Because this add-on runs on the Splunk platform, the system requirements also apply for the Splunk software on which you install the Splunk Add-on for Crowdstrike FDR. * For Splunk Enterprise system requirements: see System Requirements in the Splunk Enterprise ‘’Installation Manual’‘. * If you are managing on-premises forwarders to get data into Splunk Cloud, see System Requirements in the Splunk Enterprise ‘’Installation Manual’‘, which includes information about forwarders. * If you are using an IDM see Install an add-on in Splunk Cloud