If you use indexer clustering, the method you use to deploy apps and configuration files to indexer peers

is different. See
Manage common configurations across all cluster peers and Manage app deployment across all cluster peers in the
Managing Indexers and Clusters of Indexers.

Data model accelerations

Splunk Enterprise Security accelerates data models to provide dashboard, panel, and correlation search results. Data
model acceleration uses the indexers for processing and storage, storing the accelerated data in each index.

Limit data model acceleration for specific data models to specific indexes to improve performance of data model
acceleration and reduce indexer load, especially at scale. See Set up the Splunk Common Information Model Add-on for
more on restricting data models to specific indexes.

See Data model acceleration storage and retention to calculate the additional storage for data model acceleration.

Index TSIDX reduction compatibility

A retention policy for an index's TSIDX files is available in Splunk Enterprise 6.4.x. For more information, see Reduce
tsidx disk usage in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual. Setting a retention policy
for the TSIDX files does not affect the retention of data model accelerations.

Some searches provided with Enterprise Security do not work on buckets with reduced TSIDX files.

Default time
Panel/Search Name Workaround
range
Set the TSIDX retention to a value greater than the time
Forwarder Audit panel: Event Count Over Time by Host -30d
range.

Saved Search: Audit - Event Count Over Time By Top Set the TSIDX retention to a value greater than the time
-30d
10 Hosts range.

Set the TSIDX retention to a value greater than the default

Saved Search: Audit - Events Per Day - Lookup Gen -1d
time range.

Saved Search: Endpoint - Index Time Delta 2 - Set the TSIDX retention to a value greater than the default
-1d
Summary Gen time range.

Using the deployment server with Splunk Enterprise Security

Splunk Enterprise Security includes apps and add-ons. If the deployment server manages those apps or add-ons,
Enterprise Security will not finish installing.

• For add-ons included with Splunk Enterprise Security, deploy them using the Distributed Configuration
Management tool. See Deploy add-ons included with Splunk Enterprise Security in this manual.
• For other apps and add-ons installed in your environment, deploy them with the deployment server if appropriate.
See About deployment server and forwarder management in Updating Splunk Enterprise Instances.

If add-ons included with the Enterprise Security package are managed by a deployment server, remove the deployment
client configuration before installing Enterprise Security.

1. Remove the deploymentclient.conf file containing references to the deployment server.

2. Restart Splunk services.

10