Splunk® Supported Add-ons

Splunk Add-ons

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Install an add-on in a distributed Splunk Enterprise deployment

If your Splunk Enterprise environment is distributed, follow the instructions in each of the sections below to deploy add-ons to your search heads, indexers, and forwarders.

Search heads

To install an add-on to a search head:

  1. Download the add-on from Splunkbase.
  2. From the Splunk Web home screen, click the gear icon next to Apps.
  3. Click Install app from file.
  4. Locate the downloaded file and click Upload.
  5. If Splunk Enterprise prompts you to restart, do so.
  6. Verify that the add-on appears in the list of apps and add-ons.

Make sure the add-on is not visible. If the Visible column for the add-on is set to Yes, click Edit properties and change Visible to No. Disabling visibility of add-ons on search heads is recommended to avoid inputs from being created on search heads. Data collection components are not recommended for search heads because of the potential to conflict with users' search activity.

You can also find it on the server at $SPLUNK_HOME/etc/apps/<Name_of_add-on>.

Search head clusters

Before deploying an add-on to a search head cluster, check the documentation of the add-on to ensure it is supported on search head clusters. The add-on documentation might also include pre-deployment steps that you must perform in order to avoid validation errors. The files that cause the validation errors are all irrelevant to search head functionality, but the validation errors prevent deployment.

Unless otherwise instructed in the documentation for the specific add-on, before deploying an add-on to a search head cluster, make the following changes to the add-on package:

  1. Remove the eventgen.conf files and all files in the samples folder.
  2. Remove the inputs.conf and inputs.conf.spec files, if the add-on contains them. Exception: If you are collecting data locally from the machines running your search head nodes, keep these files.
  3. Remove the database.conf file, if the add-on contains one.

To deploy an add-on to the search head cluster members, use the deployer. See Use the deployer to distribute apps and configuration updates in Distributed Search.

Indexers

To install an add-on to an indexer:

  1. Download the add-on from Splunkbase, then unpack the .tgz package.
  2. Place the resulting Splunk_TA_<add-on_name> folder in the $SPLUNK_HOME/etc/apps directory on your indexer.
  3. Restart the indexer.

Indexer clusters

Unless noted, add-ons are supported on indexer clusters, whether single-site or multi-site.

If the add-on defines configurations for modular inputs that are located in apps or add-ons that are not included in the configuration bundle, your deployment of the configuration bundle fails due to validation errors. The affected files are all irrelevant to indexer functionality, provided that you configure your inputs on forwarders, but the validation errors prevent deployment.

To work around this issue, before deploying add-ons to indexer clusters, make the following changes to the add-on package unless the documentation for the add-on overrides these instructions:

  1. Remove the eventgen.conf files and all files in the samples folder.
  2. Remove the inputs.conf and inputs.conf.spec files, if the add-on contains them. Exception: If you are collecting data locally from the machines running your indexers, keep these files.
  3. Remove the database.conf file, if it contains one.

Deploy add-ons to peer nodes on indexer clusters using a manager node. For more information about using a manager node to deploy to peer nodes of an indexer cluster, see Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.

Universal or light forwarders

Check the installation instructions for each individual add-on to determine which forwarder types are supported.

To install an add-on to a universal or light forwarder manually:

  1. Download the add-on from Splunkbase, then unpack the .tgz package.
  2. Place the resulting Splunk_TA_<add-on_name> folder in the $SPLUNK_HOME/etc/apps directory on your forwarder.
  3. Restart the forwarder.

Use a deployment server to install add-ons

You can use a deployment server to install an add-on to your forwarders only if the add-on supports deployment servers. Check the installation instructions for each individual add-on to verify whether deployment servers are supported for forwarders. See Special considerations for using a deployment server to install an add-on for more details.

For more information about using a deployment server, see About deployment server and forwarder management in the Splunk Enterprise documentation.

Heavy forwarders

You can use a deployment server to install an add-on to your forwarders only if the add-on supports deployment servers. Check the installation instructions for each individual add-on to verify whether deployment servers are supported for forwarders. See Special considerations for using a deployment server to install an add-on for more details.

To install an add-on to a heavy forwarder manually:

  1. Download the add-on from Splunk Apps.
  2. From the Splunk Web home screen on your heavy forwarder, click the gear icon next to Apps.
  3. Click Install app from file.
  4. Locate the downloaded file and click Upload.
  5. If the forwarder prompts you to restart, do so.
  6. Verify that the add-on appears in the list of apps and add-ons. You can also find it on the server at $SPLUNK_HOME/etc/apps/<Name_of_add-on>.
Last modified on 17 October, 2023
PREVIOUS
Install an add-on in a single-instance Splunk Enterprise deployment
  NEXT
Install an add-on in Splunk Cloud Platform

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters