Deployment & Upgrades¶
Deployment matrix¶
| Splunk roles | required |
|---|---|
| Search head | yes |
| Indexer tiers | no |
If Splunk search heads are running in Search Head Cluster (SHC), the Splunk application must be deployed by the SHC deployer.
Dependencies¶
There are currently no dependencies for the application.
However, if you deploy the Splunk_SA_CIM package, make sure you have declared the cim_modactions index as the Add-on logs would automatically be directed to this index is the SA CIM application is installed on the search heads.
If the Splunk_SA_CIM is not installed, the Add-on logs will be generated in the _internal index. (This is a normal behaviour for Add-on developped with the Splunk Add-on builder that provide adaptive response capabilities)
Initial deployment¶
The deployment of the Splunk application is very straight forward:
- Using the application manager in Splunk Web (Settings / Manages apps)
- Extracting the content of the tgz archive in the “apps” directory of Splunk
- For SHC configurations (Search Head Cluster), extract the tgz content in the SHC deployer and publish the SHC bundle
Upgrades¶
Upgrading the Splunk application is pretty much the same operation than the initial deployment.