Reducing Splunk Enterprise management effort with Splunk Assist
Have you been worried about whether your Splunk Enterprise deployment is secure? Are you tired of keeping track of all security vulnerabilities and vendor-provided patches to ensure that your exposure to such vulnerabilities is minimized? What about making sure that the certificates for your hundreds of forwarders, indexers, search heads, and other Splunk connectors are not expired? As a Splunk admin, you spend a lot of time and effort on platform management tasks, especially on those you consider low-value. You want a service to reduce that effort.
Splunk Assist is a cloud-connected service for Splunk Enterprise that puts your telemetry data to work. Assist provides you with a single place to monitor your deployment and see recommendations to improve your security posture.
The primary objective of Assist is to keep your deployment secure and in prime condition. Assist does this by providing the following:
- Active monitoring. No need to hunt for critical security gaps
- Actionable insights. No need to look for docs and tutorials to fix issues as you go
- Powered by the cloud. Continuous improvements mean no need to keep up with version upgrades and security patch upgrade
- Security first. Data isolation and authentication best practices
Splunk Assist offers a number of other benefits:
- It is free and doesn't require a new license.
- It has an auto-update process that runs in the background to ensure you always have the latest version.
- It doesn’t make any changes to your deployment. It only surfaces any issues and provides steps to fix them. It’s completely under the admin’s control to apply any recommended changes or not.
Splunk Assist is only available in Splunk Enterprise 9.0 or above versions. For complete information about Splunk Assist requirements, refer to About Splunk Assist in Splunk Documentation.
After you have upgraded to Splunk Enterprise 9.0 or later, follow these three steps to get started with Splunk Assist:
- Enable support usage data (SUD). SUD is needed for Assist to collect telemetry data to provide custom insights. For information on how Splunk uses usage data and how to opt in to sharing that data for use by Splunk Assist, see Share performance and usage data in the admin manual).
- Update network settings. Open port 443 and allow outbound traffic to *.scs.splunk.com.
- Configure the Cloud Monitoring Console (CMC). This step if only required if you haven't done so already. For more information, see (Multi-instance Monitoring Console setup steps.
If ever required, you can disable Splunk Assist by disabling the backend app that is processing data. Under “Manage Apps”, look for the app “splunk_assist” and disable it.
These additional Splunk resources might help you understand and implement this product tip: