Skip to main content
Splunk Lantern

Reducing Splunk Enterprise management effort with Splunk Assist


Have you been worried about whether your Splunk Enterprise deployment is secure? Are you tired of keeping track of all security vulnerabilities and vendor-provided patches to ensure that your exposure to such vulnerabilities is minimized? What about making sure that the certificates for your hundreds of forwarders, indexers, search heads, and other Splunk connectors are not expired? As a Splunk admin, you spend a lot of time and effort on platform management tasks, especially on those you consider low-value. You want a service to reduce that effort.


Splunk Assist is a cloud-connected service for Splunk Enterprise that puts your telemetry data to work. Assist provides you with a single place to monitor your deployment and see recommendations to improve your security posture.

The primary objective of Splunk Assist is to keep your deployment secure and in prime condition. Assist does this by providing the following:

  • Active monitoring. No need to hunt for critical security gaps
  • Actionable insights. No need to look for docs and tutorials to fix issues as you go
  • Powered by the cloud. Continuous improvements mean no need to keep up with version upgrades and security patch upgrade
  • Security first. Data isolation and authentication best practices

Splunk Assist offers a number of other benefits:

  • It is free and doesn't require a new license.
  • It has an auto-update process that runs in the background to ensure you always have the latest version.
  • It doesn’t make any changes to your deployment. It only surfaces any issues and provides steps to fix them. It’s completely under the admin’s control to apply any recommended changes or not.

Splunk Assist is only available in Splunk Enterprise 9.0 or above versions. For complete information about Splunk Assist requirements, refer to About Splunk Assist in Splunk Documentation.

After you have upgraded to Splunk Enterprise 9.0 or later, follow these three steps to get started with Splunk Assist:

  1. Enable support usage data (SUD). SUD is needed for Assist to collect telemetry data to provide custom insights. For information on how the Splunk platform uses usage data and how to opt in to sharing that data for use by Splunk Assist, see Share performance and usage data in the admin manual).
  2. Update network settings. Open port 443 and allow outbound traffic to *
  3. Configure the Cloud Monitoring Console (CMC). This step if only required if you haven't done so already. For more information, see Multi-instance Monitoring Console setup steps.

Next steps

If ever required, you can disable Splunk Assist by disabling the backend app that is processing data. Under Manage Apps, look for the app splunk_assist and disable it.

These additional Splunk resources might help you understand and implement this product tip: