About the Illumio Splunk Integration
The Illumio Splunk integration contains two parts:
The Illumio Technology Add-On, or TA, which performs metadata collection and event parsing.
The Illumio App for Splunk, which provides dashboards and reports to display important data from the Illumio PCE.
Install the TA to each tier of a distributed Splunk deployment, but install the app only on the search head or search head cluster:
Component | Forwarder | Indexer | Search Head |
|---|---|---|---|
Illumio Technology Add-On for Splunk | Yes (Heavy Forwarder only) - data collection and modular input | Yes - index-time filtering and transforms | Yes - search-time field extractions and transforms |
Illumio App for Splunk | No | No | Yes |
Specific recommendations for the configuration and topology of a distributed Splunk environment are outside the scope of this document. See the documentation on Splunk Validated Architectures for suggestions on topology for distributed deployments.
Supported Splunk Versions
v4.0.2: Splunk 9.3, 9.2, 9.1, 9.0, 8.1 + PCE 21.5, 22.2, 22.5, 23.2, 23.5, and SaaS
v4.0.1: Splunk 9.1, 9.0, 8.2, 8.1 + PCE 21.5, 22.2, 22.5, 23.2, and SaaS
Important
Version 4.0.2 consists of TA-Illumio version 4.0.2 and Illumio App for Splunk version 4.0.1.
Splunk Common Information Model (CIM) versions 4.x and 5.x are supported.