Skip to main content
Version: Atlas 2022.3.3

Platform Installation for Splunk Cloud

Installation Requirements

Atlas for Splunk Cloud requires that a Splunk Search Head be deployed in your local environment that will connect to your Splunk Cloud environment. This Search Head must be configured as a Federated Search Head. Atlas will be installed on this Search Head and will connect to your Splunk Cloud environment. This Search Head will be referred to as the “Atlas Search Head” throughout the remainder of this article. Once deployed, you will add the Splunk Cloud Search Head as a search peer on your local Atlas Search Head to allow use of the Splunk REST command.

The Atlas Search Head Deployment Guidelines

  • Can be deployed in a clustered or non-clustered architecture or can also be an all-in-one (AIO) Splunk deployment
  • Must be deployed to an environment that is outside of your Splunk Cloud environment
  • Must be able to connect to Splunk Cloud over the internet

Installation Prerequisites

You should have obtained the following before proceeding with the installation:

  • The Atlas software
  • A valid Atlas license key
  • Administrative access to the Atlas Search Head
  • An Atlas Audit Splunk index (atlas_audit by default) has been configured
  • A server that meets Splunk minimum requirements and has had Splunk installed on it

Atlas Search Head Sizing Requirements

Search head sizing guidance from Splunk

Splunk's sizing specifications can be found here. You should use these as your guidance for sizing your Atlas Search Head. The Atlas Expertise on Demand Team can be leveraged to provide you with customized guidance for achieving optimal Atlas performance in your environment.

Evaluation only Atlas Search Head Specifications

If you are evaluating Atlas, you can consider the following 'Evaluation only' specifications as minimum requirements for the Atlas Search Head. This should provide enough resources to evaluate Atlas features, but when you want to add production workload, you will need to comply with Splunk's recommendations.

caution

The following specifications are Atlas software evaluations only. Do not use these server specifications for running production workloads.

  • An x86 64-bit chip architecture
  • 8 vCPU at 2Ghz or greater speed per core
  • 8GB RAM
  • 100GB of dedicated storage (SSD Based storage system with no less than 800 sustained IOPS, can be thin-provisioned)
  • A 1GB Ethernet NIC
  • A 64-bit Linux or Windows distribution

Software Requirements

Splunk Enterprise

Atlas Search Head Splunk VersionSupported Splunk Cloud Versions
9.0.x9.0.2209+
8.2.x8.2.2104
8.1.x8.1.2008 - 8.1.2101
8.0.x8.0.x

Atlas Software and License Key

Provided by Kinney Group - see the instructions for Downloading Atlas and Requesting a License Key

Installation Preparation

For additional assistance with completing these steps, please reach out to your Expertise on Demand Team or submit a request to support@kinneygroup.com.

Configure the Atlas Search Head and REST Connections

Once you have installed and configured your Atlas Search Head you will need to connect it to your Splunk Cloud environment. If you are completing these items yourself, these steps are best executed using Splunk Cloud's Admin Config Service (ACS).

  1. Allow your Atlas Search Head's public IP on your Splunk Cloud Environment for REST API access.

    • This can be accomplished using the following methods:
      • ACS
      • Splunk server settings UI
      • Opening a request to Splunk Cloud support

  2. Configure Federated Search on the Atlas Search Head

    • Create an account on your Splunk Cloud instance with fsh_manage permission

    • On the Atlas Search Head, in Splunk Web, navigate to Settings -> Federated Search -> Add Federated Provider

    • Create a new Federated Provider in transparent mode using your Splunk Cloud URI and the account that was created above

    • See the Splunk documentation for more information on this topic

  3. Add the Splunk Cloud Search Head as a search peer on the Atlas Search Head

    • In Splunk Web on the Atlas Search Head, navigate to Settings -> Distributed Search -> Search Peers. Your indexers (both Splunk Cloud and local if applicable), should already be listed here.

    • Using the "New Search Peer" button on this page, add any other Splunk instances that you wish to be able to search or perform REST calls against.

      • Adding instances from your Splunk Cloud deployment requires the user credentials of a Splunk Cloud user with the role ofsc_admin
      • The search heads that you add, must be an equal or higher version than the search peers.

Atlas Platform Installation and Initial Configuration

The following procedure will outline the steps required to install the Atlas Platform on your local Atlas Search Head.

Installing Atlas Elements

  1. Locate the Atlas Artifacts .zip file(s) you downloaded from the Downloading Atlas step. If you were given a single compressed file, un-zip the file so it becomes numerous sub-files. Each sub-file is an Atlas Element.

  2. Sign in as a Splunk Admin on your Splunk Search Head and navigate to Apps -> Manage Apps from in Splunk Web UI.

  3. Click on the "Install App from File" button located in the top right.

    Step 3

  4. Select one of the Atlas element ZIP files identified in Step 1 and Click "Upload". If you experience an issue, try selecting the “Upgrade App” checkbox and try again. The order in which the Atlas files are uploaded does not matter.

    Step 4

  5. Repeat Steps 3-4 for each of the Atlas element zip files.

    note

    You can check the progress of your install by searching “Atlas” on the Manage apps screen to see which elements have already been installed.

    Step 5

  6. After all of the Atlas Elements have been installed, click "Apps" and select "Atlas".

    Step 6

  7. A notice will appear notifying you that you need to configure Atlas. Click "Continue to Configurations" to go to the Atlas Licensing page.

  8. Paste your license key into the text box and click "Save".

  9. Your Atlas elements should now be available.

Configure Atlas Audit

After the Atlas elements have been installed and configured you should also configure Atlas Audit. Atlas Audit tracks activities performed by your users using Atlas. This information stays in your Splunk environment and can be used to track changes made to your Splunk deployment by your users using Atlas.

  1. Using your preferred method, create an index in Splunk with your desired name. The default is atlas_audit.

  2. The index used by Atlas Audit is specified in the atlas.conf file located at $SPLUNK_HOME/etc/apps/atlas_core/default/. You do not need to change anything in this file unless you plan to use a different index name. The contents of the atlas.conf file should look similar to the following:

    [license]
    license_key =

    [atlaslogs]
    index = atlas_audit
    sourcetype = atlas_logs
    caution
    • Do not alter the sourcetype in the atlas.conf file. The sourcetype must remain atlas_logs for proper operation.
    • Do not edit the atlas.conf file in the /atlas_core/default/ folder. Any changes made there will be overwritten during an upgrade. Make any changes in the /atlas_core/local/ folder.

  3. Restart the Splunk Search Head to start capturing audit events.

ES Helper Configuration

If you are using the ES Helper Atlas element, the are some additional steps required to properly configure the application. The ES Helper Atlas app requires an “ES” Distributed Search Group (DSG) to be created to facilitate communication with the ES Search Head.

  1. In the ES Helper app: Change the es_helper_target macro’s definition to “splunk_server_group=ES” if you have created an ES DSG, or “splunk_server=<ES Search Head server name>” if you have not, or if there is only one ES Search Head.

    • The server name can be found by running the following on the ES Search Head:

      | rest /services/server/info
      | table splunk_server

    • Navigate to Settings > Advanced search > Search macros, click the es_helper_target marco, edit the Definition field per the instructions above and Save.

    • Edit the es_helper_target macro

  2. Configure Data Model Acceleration:

    • Atlas ES Helper requires the Search Head where it is installed to define the same Data Models and Acceleration settings as the Enterprise Security Search Head.

      • Install Splunk_SA_CIM from Splunkbase and configure datamodels.conf in the $SPLUNK_HOME/etc/apps/Splunk_SA_CIM/local directory to match the same file on your Enterprise Security Search Head.

    • By default, Splunk Indexers create separate Data Model Summaries for each Search Head or Search Head cluster that defines a Data Model even if the definitions are identical. However, you can configure Splunk to use another Search Head’s Data Model summaries instead. Therefore, you should configure remote summaries to save indexer space and compute. Follow the following steps to configure a Remote Data Model Summary:

      • Ensure the ES Search Head has been added as a search peer on the Atlas Search Head.

      • To find the GUID of the ES Search Head, run the following search:

        | rest splunk_server=local /services/search/distributed/peers
        | table peerName title guid search_groups

      • In the $SPLUNK_HOME/etc/apps/Splunk_SA_CIM/local folder edit datamodels.conf. For each data model, add the following property:

        • acceleration.source_guid=<GUID from step ii>

      • Additional information about acceleration summaries can be found here