Install the Illumio App for Splunk and Illumio Technology Add-On for Splunk
The following topics describe the installation prerequisites and how to install Splunk in different types of environments.
Installation Prerequisites
The SPLUNK_HOME environment variable must be set to the Splunk directory.
Splunk Enterprise 7.3.x, 8.0.x, 8.1.x, or 8.2.x.
You must have installed the Illumio PCE. For compatible PCE versions, see Compatibility Matrix.
Splunk Single-Server Deployment
In a single server deployment, a single instance of Splunk Enterprise works as a data collection node, indexer, and search head. In such scenarios, install both TA-Illumio and Illumio App for Splunk applications on this node. Then complete the setup of TA-Illumio to start data collection.
Splunk Distributed Deployment
In a distributed deployment, install Splunk Enterprise on at least on two instances. One node works as the search head, and the other node works as the indexer and data collection node. In a Splunk distributed deployment, the data collection node and indexer are deployed on separate servers. In this environment, install the Illumio App for Splunk application on each search head node and TA-Illumio on each indexer/forwarder and search head node.
Install the Illumio Technology Add-On for Splunk
This section describes how to install TA-Illumio.
How TA-Illumio Works with Splunk Components
This topic describes how TA-Illumio works with various Splunk components.
Splunk Heavy Forwarder
On the heavy forwarder, which is a Splunk Enterprise instance, TA-Illumio is used for data collection. TA-Illumio is required because the Illumio App for Splunk depends on both API and syslog data from Illumio. TA-Illumio provides both.
To make TA-Illumio data collection work, you must configure Data Input (modular input) as described in the Installation topics in this guide.
Depending on the Splunk deployment, the heavy forwarder might not be a separate component. It can be deployed on the same node as the indexer or search head.
Splunk Indexer
TA-Illumio has a special purpose on the indexer. The PCE might send invalid JSON data that does not need to be indexed. TA-Illumio filters out invalid JSON events. If invalid JSON events are not a concern, TA-Illumio does not need to be installed on the indexer. On the Splunk indexer, you can manually create the index in which the data is stored.
Splunk Search Head
TA-Illumio is used with the Splunk search haed to extract time fields, which the Illumio App for Splunk then uses in dashboard visualizations.
Install the Illumio App for Splunk in a Distributed Environment
The following table describes the apps to deploy when installing within a Splunk distributed environment.
App Name | Search Head | Indexer | Heavy Forwarder/Data Collection Node |
|---|---|---|---|
Data Input (also known as Modular Input or REST Modular Input) | Configure data input with API keys and data collection disabled (not checked) | Configure data input with API keys and data collection disabled (not checked) | Configure data input with API keys and data collection enabled |
Illumio App for Splunk | Yes | Not applicable | Not applicable |
Illumio Technology Add-On for Splunk | Yes | Optional (if you want invalid JSON filtered) | Yes |
The deployment procedure varies depending on whether you are using Heavy Forwarder or Splunk Universal Forwarder.
Use Splunk Heavy Forwarder
In a distributed environment with Splunk Heavy Forwarder:
On the search head, install the Illumio App for Splunk and the Illumio Technology Add-On for Splunk.
On the Splunk Heavy Forwarder, install the Illumio Technology Add-On for Splunk.
Use Splunk Universal Forwarder
In a distributed environment with Splunk Universal Forwarder:
Set up a data collection node with Splunk Universal Forwarder.
Configure the PCE to forward data from all nodes to the Splunk Universal Forwarder.
Configure the Splunk Universal Forwarder to send the data to Splunk Indexer or Splunk Heavy Forwarder.
Use the following procedure:
Configure the Splunk Universal Forwarder to collect data from the Illumio PCE:
Create a TCP stanza in the
$SPLUNK_HOME/etc/system/local/inputs.conffile.[tcp://<PORT>] index=<INDEX-NAME> sourcetype=illumio:pce
Configure the Splunk Universal Forwarder to send the data to the Splunk Indexer. Execute the following command on the Splunk Universal Forwarder (for
<IP>:<PORT>, fill in the Splunk Indexer IP and Listening Port:$SPLUNK_HOME/bin/splunk add forwardserver <IP>:<PORT>Configure the Splunk Indexer to receive data from SUF. Create the following stanza in the
$SPLUNK_HOME/etc/system/local/inputs.conffile.[splunktcp://<PORT>]
In a distributed environment:
If you have a separate data-collection node, be sure that it is running a full Splunk Enterprise version.
Complete the Data Input configuration on the data-collection node (Heavy Forwarder) with API keys and data collection enabled.
On all other nodes, configure the data input with the API keys and data collection disabled.
In setups where a non-default index is used, you may need to configure the
Illumio_get_indexsearch macro with the "index=Illumio" definition. See Splunk Index, Source, and Source Types.
Using Splunk Heavy Forwarder
In a distributed environment with Splunk Heavy Forwarder:
On the search head, install the Illumio App for Splunk and TA-Illumio.
On the Splunk Heavy Forwarder, install TA-Illumio.
Using Splunk Universal Forwarder
In a distributed environment with Splunk Universal Forwarder:
Set up a data collection node with Splunk Universal Forwarder.
Configure the PCE to forward data from all nodes to the Splunk Universal Forwarder.
Configure the Splunk Universal Forwarder to send the data to Splunk Indexer or Splunk Heavy Forwarder.
Configure the Splunk Universal Forwarder to collect data from the Illumio PCE.
Create a TCP stanza in the
$SPLUNK_HOME/etc/system/local/inputs.conffile.[tcp//<PORT>] index=<INDEX-NAME> sourcetype=illumio:pce
Configure the Splunk Universal Forwarder to send the data to the Splunk Indexer. Execute the following command on the Splunk Universal Forwarder (for <IP>:<PORT>, fill in the Splunk Indexer IP and Listening Port):
$SPLUNK_HOME/bin/splunk add forwardserver <IP>:<PORT>
Configure the Splunk Indexer to receive data from SUF. Create the following stanza in the
$SPLUNK_HOME/etc/system/local/inputs.conffile.[splunktcp://<PORT>]
In a distributed environment:
If you have a separate data collection node, be sure it is running a full Splunk Enterprise version.
Complete the Data Input configuration on the data collection node (Heavy Forwarder) with API keys and data collection enabled.
On all other nodes, configure the data input with the API keys and data collection disabled.
In setups where a non-default index is used, you may need to configure the search macro Illumio_get_index with a definition of “index=Illumio”. Use the steps in Splunk Index, Source, and Source Types.
Deploy to a Splunk Cloud Instance
In the Splunk Cloud, data indexing takes place in a cloud instance. The data collection can take place in an on-premises Splunk instance in your environment that will work as heavy forwarder.
Install from the Command Line or Use the Splunk Commands
You can install the Illumio App for Splunk and Illumio Technology Add-On for Splunk either through the command line or from the Splunk UI.
Use these commands for a fresh installation. If you are upgrading from a previous version, see Upgrade the App.
To install from the UI:
Log into Splunk, navigate to App > Manage Apps and click Install app from a file.
Choose the SPL file to install and click Upload the SPL.
To install from the command line:
Navigate to the
$SPLUNK_HOME/binfolder and execute the following command, substituting the rest of the actual file name for the XXs:./splunk install app TA-Illumio-XX-XXXX-XX.spl ./splunk install app IllumioAppForSplunk-XX-XXXX-XX.spl