Configure the Search Head for Splunk Enterprise
Important
This procedure is applicable to Illumio Technology Add-On for Splunk version 4.0.2.
While you configure modular input on Splunk Enterprise, ensure that the following section is configured according to your environment.
After you enter the data, save it. The search head credentials are saved in the storage/passwords endpoint.
To ensure that the credentials have been saved, invoke the following URL:
https://<splunk_url>:8089/servicesNS/nobody/TA-Illumio/storage/passwords?output_mode=json&search=kvstore://
Note that the username and password are saved with 'kvstore//' as the prefix.
Ensure that the search head credentials are configured as follows:
Configure the username as username@fqdn_search_head. An example would be [email protected], where splunk is the username to log into splunkindsearch.ilabs.io.
Enter the password, and click Add search credentials to add more search head entries.
This ensures that kvstore files are copied over to all search heads that you configured previously after the modular input runs.
Whenever the modular input runs, an API call is made to the PCE, responses are stored in kvstores, and data is copied over to search head nodes as configured in the modular input.