Integrations

On the heavy forwarder, which is a Splunk Enterprise instance, TA-Illumio is used for data collection. TA-Illumio is required because the Illumio App for Splunk depends on both API and syslog data from Illumio. TA-Illumio provides both.

To make TA-Illumio data collection work, you must configure Data Input (modular input) as described in the Installation topics in this guide.

Depending on the Splunk deployment, the heavy forwarder might not be a separate component. It can be deployed on the same node as the indexer or search head.

TA-Illumio has a special purpose on the indexer. The PCE might send invalid JSON data that does not need to be indexed. TA-Illumio filters out invalid JSON events. If invalid JSON events are not a concern, TA-Illumio does not need to be installed on the indexer. On the Splunk indexer, you can manually create the index in which the data is stored.

TA-Illumio is used with the Splunk search haed to extract time fields, which the Illumio App for Splunk then uses in dashboard visualizations.