App deployment overview
This topic provides an overview of the methods you can use to deploy Splunk apps and add-ons in common Splunk software environments.
You must have an existing Splunk platform deployment on which to install Splunk apps and add-ons.
There are several ways to deploy apps and add-ons to the Splunk platform. The correct deployment method to use depends on the following characteristics of your specific Splunk software deployment:
- Deployment architecture (single-instance or distributed)
- Cluster types (search head clusters and/or indexer clusters)
- Location (on-premise or in Splunk Cloud)
There are two basic Splunk Enterprise deployment architectures:
- Single-instance deployment: In a single-instance deployment, one Splunk Enterprise instance acts as both search head and indexer.
- Distributed deployment: A distributed deployment can include multiple Splunk Enterprise components, including search heads, indexers, and forwarders. See Scale your deployment with Splunk Enterprise components in the Distributed Deployment Manual. A distributed deployment can also include standard individual components and/or clustered components, including search head clusters, indexer clusters, and multi-site clusters. See Distributed Splunk Enterprise overview in the Distributed Deployment Manual.
Some apps currently do not support installation through Splunk Web. Make sure to check the installation instructions for your specific app prior to installation.
You can deploy apps in a distributed environment using the following methods:
- Install apps manually on each component using Splunk Web, or install apps manually from the command line.
- Install apps using the deployment server. The deployment server automatically distributes new apps, app updates, and certain configuration updates to search heads, indexers, and forwarders. See About deployment server and forwarder management in Updating Splunk Enterprise Instances.
Alternately, you can deploy apps using a third-party configuration management tool, such as:
- Windows configuration tools
For the most part, you must install Splunk apps on search heads, indexers, and forwarders. To determine the Splunk Enterprise components on which you must install the app, see the installation instructions for the specific app.
Deploy apps to clusters
Splunk distributed deployments can include these cluster types:
You deploy apps to both indexer and search head cluster members using the configuration bundle method.
Search head clusters
To deploy apps to a search head cluster, you must use the deployer. The deployer is a Splunk Enterprise instance that distributes apps and configuration updates to search head cluster members. The deployer cannot be a search head cluster member and must exist outside the search head cluster. See Use the deployer to distribute apps and configuration updates in the Distributed Search manual.
Caution: Do not deploy a configuration bundle to a search head cluster from any instance other then the deployer. If you run the
apply shcluster-bundle command on a non-deployer instance, such as a cluster member, the command deletes all existing apps and user-generated content on all search head cluster members!
To deploy apps to peer nodes (indexers) in an indexer cluster, you must first place the apps in the proper location on the indexer cluster master, then use the configuration bundle method to distribute the apps to peer nodes. You can apply the configuration bundle to peer nodes using Splunk Web or the CLI. For more information, see Update common peer configurations and apps in Managing Indexers and Clusters of Indexers.
While you cannot use the deployment server to deploy apps to peer nodes, you can use it to distribute apps to the indexer cluster master. For more information, see Use deployment server to distribute apps to the master in Managing Indexers and Clusters of Indexers.
Deploy apps to Splunk Cloud
If you want to deploy an app or add-on to Splunk Cloud, contact Splunk support for guidance. The support team can deploy the app or add-on on components of the deployment that are not exposed to Splunk Cloud subscribers.
Deploy add-ons to Splunk Light
You can install and enable a limited selection of add-ons to configure new data inputs on your instance of Splunk Light. See Configure an add-on to add data in the Getting Started Manual for Splunk Light.
Where to get more apps and add-ons
App architecture and object ownership
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3