Atlas Dedicated Deployment Instructions
Installation Overview
Atlas will be installed on a dedicated Search Head deployed in your local on-premises environment, separate from the Splunk installation that Splunk users interact with. This Search Head will be referred to as the “Atlas Dedicated Search Head” throughout this document. The production Splunk environment that the Atlas Dedicated Search Head is connecting to will be referred to as the "Remote Splunk Environment".
If your Splunk deployment includes a Splunk Cloud environment, the Atlas installation process requires additional steps. Please refer to the installation instructions in Platform Installation (Splunk Cloud) instead of this document.
The Atlas Dedicated Search Head Deployment Guidelines
- Can be a clustered or non clustered Search Head or an all-in-one (AIO) Splunk deployment
- Must be able to connect to the Remote Splunk Environment over the internet or local network
- Meet the Installation Prerequisites
Feature Restrictions Specific to Deployment
Due to deployment architecture, the ability to modify searches on the target environment requires the set up of Atlas Targets.
Atlas Installation
This guide will outline the steps required to install the Atlas Platform on your on-premises Atlas Search Head. Getting Atlas up and running will take under two hours. The Atlas Platform comes paired with Expertise on Demand (EoD), and you are encouraged to reach out to EoD for Atlas installation support should you need help.
Configure the Atlas Search Head and REST Connections
Once you have installed and configured your Dedicated Atlas Search Head you will need to connect it to your Remote Splunk environment. These steps ensure that your Atlas Search Head is a Search Peer to your Remote Search Heads and Indexers.
-
Configure Federated Search on the Atlas Search Head
-
Create an account on your Remote Splunk instance with
fsh_managepermission -
On the Atlas Search Head, in Splunk Web, navigate to Settings -> Federated Search -> Add Federated Provider
-
Create a new Federated Provider in transparent mode using your Remote Splunk URI and the account that was created above
-
See the Splunk documentation for more information on this topic
-
-
Add the Splunk Cloud Search Head as a search peer on the Atlas Search Head
-
In Splunk Web on the Atlas Search Head, navigate to Settings -> Distributed Search -> Search Peers. Your indexers (both Splunk Cloud and local if applicable), should already be listed here.
-
Using the New Search Peer button on this page, add any other Splunk instances that you wish to be able to search or perform REST calls against.
- Adding instances from your Splunk Cloud deployment requires the user credentials of a Splunk Cloud user with the role of
sc_admin - The search heads that you add, must be an equal or higher version than the search peers.
- Adding instances from your Splunk Cloud deployment requires the user credentials of a Splunk Cloud user with the role of
-
Atlas Distributed Install Matrix
Use the tables below to determine where and how to install the Atlas Platform. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install Atlas Elements and Technical Add-Ons (TAs) in multiple places.
| Atlas Element | Dedicated Search Head | Remote Search Heads | Remote Indexers | Heavy Forwarders | Universal Forwarders | Comments |
|---|---|---|---|---|---|---|
| Atlas 4.0 | Yes | No | No | No | No | - |
| Atlas Assessment | Yes | No | No | No | No | - |
| STIG Compliance | Yes | No | No | No | No | - |
| STIG Compliance STIG TA | Yes | No | Yes | Yes | No | Install on Index & Search Head Layer to create required Indexes & Data Transformations |
| STIG Compliance SCAP TA | Yes | No | Yes | Yes | No | Install on Index & Search Head Layer to create required Indexes & Data Transformations |
Installing the Atlas Platform on the Search Head
To install Atlas, follow standard Splunk procedure for installing a Splunk Application or TA.
Optional: Configure Distributed Search Groups
Distributed Search Groups (DSGs) enable Atlas users to search data over a specific set of search peers, such as all Search Heads or all Indexers.
DSGs cannot be configured in Splunk Web; the configuration file must be edited directly. Atlas Core comes with a distsearch.conf template to make setting up DSGs as simple as possible. In each stanza, the servers property consists of a comma-delimited list of servers in the following format: https://192.168.1.44:8089,https://192.168.1.62:8089,....
-
Copy the
distsearch.conffile in$SPLUNK_HOME/etc/apps/atlas_core/default/to the/atlas_core/localfolder. -
Edit the
/local/distsearch.conffile by uncommenting and filling out each stanza that is relevant to your environment.Some of the applicable stanzas may include the following:
[distributedSearch]- the base stanzaIf any search peers have been added using Splunk Web, this stanza will be populated with a comma-delimited list of these servers in the system-level distsearch.conf file located at
$SPLUNK_HOME/etc/system/local/distsearch.conf-
Copy the
servers =entries from the[distributedSearch]stanza in/etc/system/local/distsearch.confinto (under) the same stanza in/etc/apps/atlas_core/local/distsearch.conf -
Add all of the indexers to the servers list in this stanza. They are listed in the Search Peer page on Splunk Web
-
This stanza should now include all search peers shown in Splunk Web
-
[distributedSearch:ENV] - DSG for entire environment
This stanza allows the entire environment to be searched at once
- Copy the server list from the base stanza onto this one, adding
localhost:localhostto include the Atlas Search Head itself
[distributedSearch:DEF] - DSG to be searched by default
This is the only stanza with default = true
This stanza consists of localhost:localhost as well as all Indexers. This ensures standard search behavior, and prevents search requests from being sent to non-indexers
Note that Indexer Discovery is not currently supported — any newly discovered Indexer Cluster Members will not automatically be added to either the base stanza or the DEF stanza and must be manually added. If you use indexer discovery, and do not care about sending search requests to non-indexers, it is recommended to exclude this group.
- You can add servers into additional groups (stanzas) as needed for your environment. The
distsearch.conftemplate in$SPLUNK_HOME/etc/apps/atlas_core/defaultcontains examples of additional groups you can use if needed.
Remember: Do not edit the distsearch.conf file in the /atlas_core/default/ folder - any changes made there will be overwritten during an upgrade. All edits should be done in the distsearch.conf file in /etc/atlas_core/local.