Splunk® Supported Add-ons

Splunk Add-ons

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Where to install Splunk add-ons

Best practice

Unless otherwise noted, you can install any add-on to all tiers of your Splunk platform architecture – search tier, indexer tier, forwarder tier – without any negative impact. Splunk recommends installing Splunk-supported add-ons across your entire Splunk platform deployment, then enabling and configuring inputs only where they are required.

For example, if you install an add-on to your indexer tier, but the add-on does not have any index-time functionality, it does no harm to have it there. Add-on packages do not take up significant room on disk, so you can safely install them across your architecture.

Be sure to follow the specific configuration instructions for each individual add-on, and be aware of any limitations regarding using a deployment server.

Advanced information

If you prefer to install add-ons only to the locations they are required, consult the installation instructions for each individual add-on, which indicate where your add-on must be installed in order to work in a distributed architecture. Each add-on differs depending on what it contains, as shown in the diagram below.

  • Add-ons that contain search-time functionality, such as dashboards, prebuilt panels, saved searches, macros, tags, data models, and lookups, need to be installed on your search heads.
  • Add-ons that contain data manipulation functionality, usually in props.conf and transforms.conf files, should be installed on search heads, indexers, and forwarders, because that data manipulation could apply at various phases in the data pipeline: parsing, indexing, or search. Unless you are certain of where the data manipulation functions of the add-on occur, install it across all tiers of your architecture.
  • Add-ons that contain inputs belong on forwarders, and in some select cases also on search heads. Inputs that contain dynamic lookups need to be installed on search heads because they feed results back into the input directly from the search. Consult the documentation of the add-on for special instructions.

Add-on Deployment Guide1.png

For more information about how Splunk software components correlate to phases in the data pipeline, see Configuration parameters and the data pipeline in the Splunk Enterprise documentation.

The remaining sections in this chapter describe how to install an add-on in various deployment scenarios and to specific parts of your architecture.

Last modified on 21 July, 2021
PREVIOUS
About installing Splunk add-ons
  NEXT
Install an add-on in a single-instance Splunk Enterprise deployment

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters