Installation

Install the Whisper Security TA on Splunk Enterprise, distributed deployments, or Splunk Cloud.

Updated May 2026Splunk

Installation Documentation

Prerequisites
  • Splunk Enterprise 10.2+ or Splunk Cloud (Victoria Experience or Classic Experience)
  • Python 3.13 (included with Splunk 10.2+ as an opt-in interpreter)
  • A Whisper Security API key

See the Requirements page for detailed software and network requirements.

Enterprise Deployments: For detailed guidance on deployment server, SHC deployer, indexer clusters, forwarder compatibility, and Splunk Cloud (Victoria vs Classic), see the Deployment Architecture guide.

Deployment topologies

The add-on supports three deployment topologies. Install the TA on the search head in all cases -- search commands and modular inputs run on the search head.

Single-instance deployment

Diagram

Install the TA on the single Splunk instance. All components run on the same machine.

Distributed deployment

Diagram

Install the TA on the search head only. Indexers receive indexed events through the normal Splunk data pipeline. No TA installation is needed on indexers or forwarders.

Splunk Cloud

Diagram

Install the TA through self-service app installation or work with Splunk Cloud Support. The TA passes AppInspect cloud vetting with zero failures.

Search head cluster: For search head cluster (SHC) deployments, deploy the TA to all cluster members via the deployer. KV Store collections replicate automatically across cluster members.

Install from Splunkbase

The add-on is published on Splunkbase: Whisper Security TA on Splunkbase.

Option 1 — From Splunkbase (recommended):

  1. Download the latest release from splunkbase.splunk.com/app/8695.
  2. In Splunk Web, navigate to Apps > Manage Apps > Install app from file and upload the .tgz.
  3. Restart Splunk if prompted.

Option 2 — From Splunk Web:

  1. Navigate to Apps > Find More Apps in Splunk Web.
  2. Search for "Whisper Security".
  3. Click Install.

Create the whisper index

The add-on writes events to a Splunk index named whisper. This index must exist before you enable the modular inputs. The TA does not ship an indexes.conf because Splunk Cloud Victoria Experience prohibits app-shipped index definitions -- index creation is the deployment administrator's responsibility.

The default index name is whisper, but you can override it via the whisper_index macro (see macros documentation) and update each modular input to write to a different index if required.

Splunk Cloud Victoria Experience

Use the Admin Config Service (ACS) API or the Splunk Cloud Console to create the index:

Via Splunk Cloud Console (recommended):

  1. Log in as a Cloud administrator (sc_admin role).
  2. Navigate to Settings > Indexes.
  3. Click New Index.
  4. Enter:
    • Index name: whisper
    • Index data type: Events
    • Searchable retention (days): 180 (6 months) or per your retention policy
  5. Click Save.

Via ACS API:

curl -X POST https://admin.splunk.com/<stack-name>/adminconfig/v2/indexes \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
        "name": "whisper",
        "datatype": "event",
        "searchableDays": 180
      }'

Splunk Cloud Classic Experience

  1. Log in as a Cloud administrator.
  2. Navigate to Settings > Indexes.
  3. Click New Index.
  4. Enter:
    • Index name: whisper
    • Index data type: Events
  5. Click Save.

If self-service index management is not available on your stack, file a ticket with Splunk Cloud Support.

Splunk Enterprise / on-premises

Via Splunk Web:

  1. Navigate to Settings > Indexes.
  2. Click New Index.
  3. Enter whisper as the index name.
  4. Configure paths (defaults are typically fine):
    • Home path: $SPLUNK_DB/whisper/db
    • Cold path: $SPLUNK_DB/whisper/colddb
    • Thawed path: $SPLUNK_DB/whisper/thaweddb
  5. Optional: set Frozen time period to 15552000 (180 days) or your retention policy.
  6. Click Save.

Via CLI:

$SPLUNK_HOME/bin/splunk add index whisper \
  -homePath '$SPLUNK_DB/whisper/db' \
  -coldPath '$SPLUNK_DB/whisper/colddb' \
  -thawedPath '$SPLUNK_DB/whisper/thaweddb' \
  -frozenTimePeriodInSecs 15552000

Via indexes.conf (indexer cluster):

For indexer clusters, define the index in your cluster master's master-apps/_cluster/local/indexes.conf (not in the TA package):

[whisper]
homePath = $SPLUNK_DB/whisper/db
coldPath = $SPLUNK_DB/whisper/colddb
thawedPath = $SPLUNK_DB/whisper/thaweddb
frozenTimePeriodInSecs = 15552000
repFactor = auto

Then push the bundle: splunk apply cluster-bundle.

Verify the index exists

After creation, confirm the index is available:

| rest /services/data/indexes
| search title="whisper"
| table title currentDBSizeMB maxTotalDataSizeMB

You should see one row with title=whisper. If empty, the index does not exist and modular inputs will fail with IndexProcessor - cooked index=whisper not found errors in splunkd.log.

Verify installation

After installation, verify the app is visible and enabled:

| rest /services/apps/local/TA-whisper-graph
| table label version disabled

Verify search commands are registered:

| whisperquery query="RETURN 1 AS test LIMIT 1"

Next steps

After installation, proceed to Configuration to set up your API key.

PreviousRequirementsNextDeployment Architecture