A site has a single existing search head which hosts a mix of both CIM and non-CIM compliant applications. The customer wants good ES performance while controlling costs. What is the best practice for installing ES?

• A. Install ES on the existing search head.
• B. Add a new search head and install ES on it.
• C. Increase the number of CPUs and amount of memory on the search head, then install ES.
• D. Delete the non-CIM-compliant apps from the search head, then install ES.

Answer: (B)

Installing Enterprise Security (ES) on a new search head is regarded as a best practice primarily due to the specific resource demands and performance needs that ES requires. By separating the ES installation onto its dedicated search head, you ensure that the processing power, memory, and other resources are specifically allocated and optimized for ES operations. This separation helps to improve performance significantly, particularly when dealing with data analysis and security monitoring, which can be resource-intensive tasks.

Additionally, maintaining a dedicated search head for ES allows for better management of different applications. Since the site currently hosts both CIM-compliant and non-CIM-compliant apps, this separation prevents potential conflicts that could arise from having resource-heavy tasks running on the same infrastructure that supports other applications.

Moreover, having a dedicated ES search head aligns with the best practices for scalability and future-proofing a Splunk environment. As data volumes grow or additional security features are added, having a dedicated search head can more easily accommodate these changes without negatively impacting the performance of existing applications. This setup is also a cost-effective way of ensuring that all applications, including non-CIM-compliant ones, can run efficiently without being hindered by the performance demands of ES.