Deployment Architecture
Enterprise deployment patterns for the Whisper Security Splunk Add-on — tier placement, deployment server, SHC deployer, indexer clusters, forwarder compatibility, and Splunk Cloud specifics.
Deployment Architecture Documentation
This guide covers enterprise deployment patterns for the Whisper Security Add-on, including tier placement, deployment server workflows, Search Head Cluster (SHC) configuration, indexer cluster considerations, forwarder compatibility, and Splunk Cloud specifics.
Tier Component Matrix
The TA runs entirely on search heads. Indexers and forwarders require no additional configuration.
| Component | Search Head | Indexer | Forwarder |
|---|---|---|---|
| Search commands (whisperlookup, whisperquery) | YES | NO | NO |
| Modular inputs (health, baseline, threat intel, watchlist) | YES | NO | NO |
| KV Store collections (enrichment cache, threat intel) | YES | NO | NO |
| API calls (outbound HTTPS to Whisper API) | YES | NO | NO |
| Alert actions (Enrich with Whisper) | YES | NO | NO |
| Dashboards and views | YES | NO | NO |
| Saved searches (correlation, KV Store population) | YES | NO | NO |
| props.conf / transforms.conf | YES | YES* | NO |
| indexes.conf (whisper index) | NO | YES | NO |
*Only if field extractions are needed at index time. For most deployments, search-time extraction (default) is sufficient.
API Call Origin
All outbound API calls to the Whisper Knowledge Graph originate exclusively from search heads. Ensure your firewall allows outbound HTTPS (port 443) from search heads to graph.whisper.security (or your configured API base URL).
No indexers, forwarders, or other Splunk components make API calls.
Deployment Server
To deploy the TA via Deployment Server to search heads:
-
Place the TA in the deployment apps directory:
$SPLUNK_HOME/etc/deployment-apps/TA-whisper-security/ -
Configure
serverclass.confto target search heads only:[serverClass:whisper_security] whitelist.0 = search-head-*.example.com [serverClass:whisper_security:app:TA-whisper-security] restartSplunkd = true -
Push the deployment:
splunk reload deploy-server
Do not deploy to indexers or forwarders -- the TA is not needed there.
Search Head Cluster (SHC)
Deploying via SHC Deployer
-
Place the TA on the deployer:
$SPLUNK_HOME/etc/shcluster/apps/TA-whisper-security/ -
Push the bundle:
splunk apply shcluster-bundle -target https://<captain>:8089 --answer-yes
KV Store Replication
KV Store collections automatically replicate across SHC members. No additional configuration is needed. The TA's server.conf includes:
[shclustering]
conf_replication_include.ta_whisper_security_settings = true
To verify KV Store replication status:
| rest /services/kvstore/status
Modular Input Behavior
Modular inputs run on all SHC members by default. For inputs that should run on only one member (to avoid duplicate data collection), configure the captain to manage input scheduling, or disable inputs on non-captain members.
Indexer Cluster
No TA installation is required on indexers. The TA runs entirely on search heads.
If you want the whisper index on your indexer cluster, push indexes.conf via the Cluster Manager:
$SPLUNK_HOME/etc/manager-apps/TA-whisper-security-indexes/default/indexes.conf
The TA's indexes.conf includes repFactor = auto for proper replication across indexer cluster peers.
Forwarder Compatibility
The TA does not run on universal or heavy forwarders. All data collection is performed by modular inputs running on the search head, which call the Whisper API directly.
Forwarders can send raw network events (e.g., proxy logs, firewall logs) to indexers. Those events can then be enriched at search time using whisperlookup on the search head.
Splunk Cloud
Victoria Experience
- The TA installs on the search head via the Splunk Cloud self-service app install
- Modular inputs run locally on the search head -- full compatibility
- KV Store is accessible from the search head
- All features work without additional configuration
Classic Experience (IDM)
In Classic Experience, modular inputs run on the Inputs Data Manager (IDM), a separate Splunk instance that does not have access to KV Store.
The TA uses an event-based architecture to support this deployment:
- Modular inputs (
whisper_threat_intel,whisper_watchlist) write enrichment data as events to thewhisperindex instead of writing directly to KV Store - Saved searches (disabled by default) read these events and populate KV Store collections on the search head via
outputlookup
To enable the event-based pipeline on Classic Experience:
- Enable the modular inputs via the TA configuration page
- Enable the following saved searches:
- Whisper - Populate IP Threat Intel KV Store
- Whisper - Populate Domain Threat Intel KV Store
- Whisper - Populate Precomputed Enrichment KV Store
- Configure the saved search schedules to run after the input collection intervals
Firewall Requirements
Allow outbound HTTPS (port 443) from search heads to:
graph.whisper.security(production API)- Or your configured API base URL
AppInspect Cloud Vetting
The TA passes AppInspect with cloud, private_victoria, and private_classic tags with zero failures.
Configuration File Distribution
| Config File | Search Head | Indexer | Notes |
|---|---|---|---|
app.conf | YES | NO | App identity and triggers |
commands.conf | YES | NO | Custom search commands |
collections.conf | YES | NO | KV Store schemas |
transforms.conf | YES | YES* | Lookup definitions |
props.conf | YES | YES* | Field extractions |
savedsearches.conf | YES | NO | Correlation and population searches |
macros.conf | YES | NO | Investigation macros |
indexes.conf | NO | YES | Index definitions |
authorize.conf | YES | NO | Custom roles |
*Only needed on indexers if index-time field extractions are configured.
Troubleshooting
Inputs Not Running (SHC)
If modular inputs are not collecting data on an SHC:
- Verify the TA is deployed on all SHC members
- Check that inputs are enabled: Settings > Data Inputs > Whisper
- Verify API connectivity: run
| whisperquery query="CALL whisper.quota()"from the search bar
Inputs Not Running (Splunk Cloud Classic)
If using Classic Experience with IDM:
- Verify the event-based saved searches are enabled
- Check that events are being written: search for
index=whisper sourcetype=whisper:threat_intel - If events exist but KV Store is empty, verify the saved searches are running on schedule
KV Store Replication Issues (SHC)
Verify replication is working:
| rest /services/kvstore/status
| table title, currentStatus, replicationStatus
If collections are not replicating, verify server.conf includes the replication settings.