jamf PRO - Splunk installation

ThadMcCall
New Contributor

The docs for this are lacking a lot. They seem to be written for single instance Splunk which is not the usual. Please provide instruction for installing in a distributed Splunk environment. Where do the add-on get installed? Search Head, Heavy Forwarder, Indexers, a mix of them (many are mixed)?

2 REPLIES 2

NorDak
New Contributor

Good Morning, 
App Developer here.

You are right on a few ends here based on the complexity of the integration. This is an Add-On and not a full application the entire thing it does is take a set of responses from our API and break it up into XML or JSON objects so that you can interact with it using SPL. This was designed, built, and maintained using the Splunk provided Add-On Manager and we keep it up to date with that platform, which makes cloud certification generally pretty easy.

As per deployment, if you are Splunk Cloud Customer ( The primary target here ), Splunk should have provided an instance called an Input's Manager which is a fancy term for a heavy forwarder. That is my suggestion is running either there or on a self hosted heavy forwarder.

Outside of this application we have the same exact code available as a self hosted script or AWS lambda that allows you to run outside of splunk and post to a HEC endpoint. We may expand on this in the future to provide this as a service for our own cloud premium customers or those with specific licensing... I will have more on that around JNUC time period.

Lastly, if you would like to setup a call to talk about this and some of the options on deployment contact your Jamf Customer Success and they will book some time with me. This integration is Jamf Supported at the moment.

Good Morning, 
App Developer here.

You are right on a few ends here based on the complexity of the integration. This is an Add-On and not a full application the entire thing it does is take a set of responses from our API and break it up into XML or JSON objects so that you can interact with it using SPL. This was designed, built, and maintained using the Splunk provided Add-On Manager and we keep it up to date with that platform, which makes cloud certification generally pretty easy.

As per deployment, if you are Splunk Cloud Customer, the primary target, Splunk should have provided an instance called an Input's Manager which is a fancy term for a heavy forwarder. That is my suggestion is running either there or on a self hosted heavy forwarder.

Outside of this application we have the same exact code available as a self hosted script or AWS lambda that allows you to run outside of splunk and post to a HEC endpoint. We may expand on this in the future to provide this as a service for our own cloud premium customers or those with specific licensing... I will have more on that around JNUC time period.

Lastly, if you would like to setup a call to talk about this and some of the options on deployment contact your Jamf Customer Success and they will book some time with me. This integration is Jamf Supported at the moment.

We made what we thought was a very reasonable minimal integration and are totally open for improvements and suggestions from people who understand the vast ecosystem of splunk.

We made what we thought was a very reasonable minimal integration and are totally open for improvements and suggestions from people who understand the vast ecosystem of splunk.

 

ThadMcCall
New Contributor

Thanks for the reply but this doesn't address my question.

We have an on-prem distributed Splunk environment. Which instances should this be installed on? Does it get installed and configured on a HF and also in a search head cluster without configuration?