Architecture
The Illumio App for Splunk integrates Splunk with the Illumio Policy Compute Engine (PCE). Using the app, you can conveniently access PCE data through Splunk, and gain security and operational insights into your Illumio-secured data center.
The Technology Add-On for Illumio (TA-Illumio) performs data collection, data normalization, and data visualization using data that comes from the Illumio Policy Compute Engine (PCE) through REST API calls and syslog.
The diagrams in the following topics show a typical data collection architecture from PCE to Splunk in distributed and standalone environments.
Splunk Distributed Environment
For information about how to install each component in a Splunk distributed environment, see Application of TA-Illumio to Splunk Components.
If you use Splunk Universal Forwarder on a dedicated data collection node, see “Using Splunk Universal Forwarder.
Splunk Standalone Environment
In a standalone environment, the PCE forwards data directly to the Splunk instance. The Splunk Heavy Forwarder is not involved.
