Skip to main content

Integrations

Install the Illumio Splunk Apps

You can install the Illumio Splunk integration apps in either a distributed or a standalone Splunk environment.

Note

Recommendations for the configuration and topology of a distributed Splunk environment are outside of the scope of this document. See About Splunk Validated Architectures for suggestions on topology for distributed deployments.

Install the Illumio Splunk Apps in a Distributed Environment

For a distributed environment, install the TA to a Splunk Heavy Forwarder, as well as the indexer/indexer cluster and search head/search head cluster. Configure the Illumio modular input to run on the Heavy Forwarder. You need to install on the search head tiers if you want to use index-time and search-time transforms in the app.

Note

You only need to install the Illumio App for Splunk on the search tier.

Note

You cannot install the Illumio Technology Add-On for Splunk on a Universal Forwarder.

Install the Illumio Technology Add-On for Splunk in a Standalone Environment

The following procedures describe how to install the TA through the Splunk UI and manually.

Use the following procedure to install the TA through the Splunk UI.

  1. In the Splunk UI, navigate to the Manage Apps page using the Apps drop-down in the top-left corner or by clicking the gear icon next to Apps on the Splunk homepage.

  2. Click Browse More Apps, and search for TA-Illumio.

  3. Click Install.

  4. Enter your Splunk login credentials when prompted, and then click Agree and Install.

  5. When prompted, restart Splunk.

Use the following procedure to install the TA manually:

  1. Navigate to the Illumio-TA app in Splunkbase.

  2. Log in using your Splunk credentials.

  3. Click Download.

  4. Read through and accept the EULA and Terms and Conditions, and then click Agree to Download.

  5. Transfer the downloaded .tgz or .spl file to the Splunk server.

  6. Install the app manually:

    Using the Splunk binary:

    $SPLUNK_HOME/bin/splunk install app /path/to/TA-Illumio.spl

    Or by extracting directly under /apps:

    tar zxf /path/to/TA-Illumio.spl -C $SPLUNK_HOME/etc/apps/

  7. Restart Splunk.