Splunk® Supported Add-ons

Splunk Add-ons

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Install an add-on in Splunk Cloud Platform

To install add-ons for use with your Splunk Cloud Platform instance, your procedure varies depending on three questions:

  • Is your Splunk Cloud Platform deployment paid or a free trial?

If you aren't sure, see Splunk Cloud Platform deployment types in the Splunk Cloud Platform Admin Manual.

  • Does the add-on need to be installed on an Inputs Data Manager (IDM)?

Splunk Cloud Platform deployments on Victoria Experience do not require IDM. If your deployment is on Victoria Experience you can run add-ons that contain scripted and modular inputs directly on the search head. To determine if your deployment has the Classic or Victoria experience, see Determine your Splunk Cloud Platform Experience.

For the Classic experience, any add-on that requires ingestion on the search tier is disallowed in Splunk Cloud Platform, so you need to use IDM or a heavy forwarder to achieve this. As a best practice, cloud-based add-ons should be installed on an IDM, and on-premises-based add-ons should be installed on a forwarder or heavy forwarder. The IDM is a hosted solution for Splunk Cloud Platform for scripted and modular inputs. In a majority of cases, an IDM will obviate the need for customer-managed infrastructure. However, note that an IDM is not a one-to-one replacement for a heavy forwarder. You still need to use a heavy forwarder if you need to perform parsing or activities other than standard scripted and modular data inputs. Note: If the add-on is tightly integrated with an Enterprise Security search head, you should not use IDM. For more information about IDMs, see See Work with Inputs Data Manager in the Splunk Cloud Platform Admin Manual.

  • Does the add-on need to be installed on a forwarder in addition to your Splunk Cloud Platform instance?

Some add-ons require that you install them on a forwarder for data collection. Some add-ons even require specific types of forwarders. Most add-ons also need to be installed on your Splunk Cloud Platform instance to enable their index- and search-time capabilities. Check the documentation for the add-on that you want to use for details.

Determine the answers to those questions, then follow the instructions in the sections below that apply to you.

  1. Consult the add-on documentation to determine if your add-on should be installed on search heads. If your deployment is on the Victoria Experience, you can run add-ons that contain scripted and modular inputs directly on the search head.
  2. If the add-on does need to be installed on search heads, install it on your Splunk Cloud Platform instance. See Install apps in your Splunk Cloud Platform deployment in the Splunk Cloud Platform Admin Manual.
  3. Turn visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node.
  4. Consult the add-on documentation to determine if your add-on requires a forwarder for data collection, and if so, what type of forwarders are supported.
  5. If the add-on supports universal forwarders but also needs to be installed on indexers in that case, contact Splunk Support to verify that the add-on is installed on your cloud indexers, or use a heavy forwarder instead.
  6. If forwarders are required, see Install add-ons to forwarders to get data into Splunk Cloud Platform in this topic.

Free trial Splunk Cloud Platform deployments

You can install add-ons to your free trial instance of Splunk Cloud Platform using the app browser in Splunk Cloud Platform.

  1. From the Splunk Web home screen, click on the gear icon next to Apps in the left navigation bar.
  2. Click Browse more apps.
  3. Find the app or add-on that you want to install, then click Install.
  4. Follow the on-screen prompts to complete your installation.
  5. Consult the add-on documentation to determine if your add-on requires a forwarder for data collection, and if so, what type of forwarders are supported.
  6. If forwarders are required, see Install add-ons to forwarders to get data into Splunk Cloud in this topic.

Install add-ons to an IDM to get data into Splunk Cloud Platform

Splunk Cloud Platform deployments on the Victoria Experience do not require IDM. If an IDM is required to get data in, you will need to request the add-on installation from Splunk Cloud Platform Support. You will also need to request that Splunk Cloud Platform Support installs the add-on on your Splunk Cloud Platform instance.

Install add-ons to forwarders to get data into Splunk Cloud Platform

If a forwarder is required to get data in, install and configure a forwarder on a server under your control, then install your add-on on that forwarder. Follow the directions for the forwarder type required by the add-on you are installing.

Install an add-on on a universal forwarder

Install and configure a universal forwarder to send data to your Splunk Cloud Platform instance, then install the add-on on that forwarder.

  1. See Work with forwarders in the Splunk Cloud Platform Admin Manual for complete directions on installing a universal forwarder and configuring the credentials to connect your forwarder to your Splunk Cloud Platform instance.
  2. See Install an add-on in a distributed Splunk Enterprise deployment in this manual and follow the directions to install your add-on on the universal forwarder.

Install an add-on on a heavy forwarder

Install and configure a heavy forwarder to send data to your Splunk Cloud Platform instance, then install the add-on on that forwarder.

  1. Install a full Splunk platform instance on a server under your control.
  2. Configure it as a heavy forwarder. See Set up forwarding in the Splunk Enterprise Forwarding Data manual.
  3. Download and install the forwarder credentials to connect your forwarder to your Splunk Cloud Platform instance.

    Although the credentials package that you download and install is called "Universal Forwarder Credentials", these credentials do not apply only to universal forwarders. Apply these credentials to forwarders of any type that you need to connect to your Splunk Cloud Platform instance.

    • If your forwarder is installed on a Linux server, see Get *nix data into Splunk Cloud Platform in the Splunk Cloud Platform Admin Guide and scroll down to Step 3: Download the credentials file and install it on your Universal Forwarder.
    • If your forwarder is installed on a Windows server, see Get Windows Data into Splunk Cloud Platform in the Splunk Cloud Platform Admin Guide and scroll down to Step 6: Install the Splunk Universal Forwarder on your Windows Servers.
  4. See Install an add-on in a distributed Splunk Enterprise deployment in this manual and follow the directions to install your add-on on the heavy forwarder.
Last modified on 23 November, 2022
PREVIOUS
Install an add-on in a distributed Splunk Enterprise deployment
  NEXT
Install an add-on in Splunk Light (Legacy)

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters