Installation
Installation Target
TrackMe is a Search Head component only, therefore it has to be deployed only on a target Search Head layer:
Splunk roles |
required |
|---|---|
Search head |
yes (*) |
Monitoring console |
yes (*) |
Indexer tiers |
no |
Heavy Forwarders |
no |
You can deploy TrackMe on a dedicated Search Head or Search Head Cluster, or alternatively on the machine hosting the Splunk Monitoring Console
If you choose to install TrackMe on your Search Head layer in a Search Head Cluster (SHC), Trackme must be deployed through the SHC deployer node.
Indexes definition
Default indexes
TrackMe requires at least 4 indexes to be defined, in a distributed context this usually means defining indexes in your manager node:
Default index name |
Purpose |
|---|---|
trackme_summary |
TrackMe entities activity such as the state, flipping events, Smart Status |
trackme_audit |
TrackMe modifications and application audit activity |
trackme_notable |
Notable events are generated by the TrackMe notable alert action |
trackme_metrics |
Various metrics are generated depending on the components |
Indexes are defined by default in the application package:
trackme/default/indexes.conf
Typically:
If TrackMe is running on “all in one” instance, you do not need to define the indexes as the application defines these already (mostly for testing and development purposes)
It is a good practice to use Splunk volumes rather than the default SPLUNK_DB variable to define the location of the buckets (which is required if using SmartStore)
Therefore, a typical definition would be:
[trackme_notable]
coldPath = volume:primary/trackme_notable/colddb
homePath = volume:primary/trackme_notable/db
thawedPath = $SPLUNK_DB/trackme_notable/thaweddb
[trackme_summary]
coldPath = volume:primary/trackme_summary/colddb
homePath = volume:primary/trackme_summary/db
thawedPath = $SPLUNK_DB/trackme_summary/thaweddb
[trackme_audit]
coldPath = volume:primary/trackme_audit/colddb
homePath = volume:primary/trackme_audit/db
thawedPath = $SPLUNK_DB/trackme_audit/thaweddb
[trackme_metrics]
coldPath = volume:primary/trackme_metrics/colddb
homePath = volume:primary/trackme_metrics/db
thawedPath = $SPLUNK_DB/trackme_metrics/thaweddb
datatype = metric
to be adapted with the volume definitions in your context
Virtual Tenants specific indexes
A core concept of TrackMe is called Virtual Tenants which provides many powerful features, part of this concept provides the capabilities to define a per tenant specific set of indexes.
Therefore, you can choose to define specific indexes for one or more tenants, and a different set of indexes for some other tenants.
This allows TrackMe to comply with any Role Based Access Control (RBAC) requirements, for instance to allow a population of users to access to specific tenants while another population can access to some others.
Example: Virtual Tenant indexes definition configuration screen:
Installing TrackMe
Splunk Enterprise
Installing TrackMe on Splunk Enterprise on-premise deployments depends on the type of deployment.
For standalone instances, you can refer to: https://docs.splunk.com/Documentation/AddOns/released/Overview/Singleserverinstall
For distributed deployments, refer to: https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall
Notes for older generation of Splunk (prior to Splunk 9.x)
TrackMe is developed for the latest generation of Splunk software, therefore some built-in parameters are primarly targeting Splunk 9.x compatible configuration.
If you are running TrackMe on a version prior to Splunk 9.x, you should apply the following custom:
Create a local/distsearch.conf:
# distsearch.conf
# Avoid the replication to the indexers of the KVstore backup tarball compressed files
[replicationBlacklist]
trackme_backup_tgz = apps/trackme/backup/*.tgz
trackme_backup_dirs = apps/trackme/backup/...
# These lookups do not need to be replicated
trackme_cim_regex = apps/trackme/lookups/trackme_cim_regex.csv
# Machine Learning models: Anomaly detection will generate various ML models files, there are not needed on the indexer layers
trackme_mlmodels = apps/trackme/lookups/__mlspl_*.mlmodel
notes:
In Splunk 9.x, biased language was addressed, this stanza became replicationDenylist
In TrackMe, this stanza avoids ML models files to be unnecessary replicated to the indexers, and be part of the knowledge bundle
Splunk Cloud
Installing TrackMe on Splunk Cloud relies on Cloud self services, refer to:
Upgrading TrackMe
As a basis, upgrading TrackMe is an equivalent process to the installation, in a nutshell:
In Splunk Enterprise, you will download the updated release, extract the new version, restart the instance if in a standalone Search Head or apply the SHC bundle if running in a SHC
In Splunk Cloud, when a new release has been published and vetted, the new version release number appears as upgradable through the application management interface, you will therefore follow the self services process
TrackMe implements an automated concept to perform required application level upgrade procedures, called schema version, see Upgrading TrackMe.