Where to install Splunk add-ons
Unless otherwise noted, you can install any add-on to all tiers of your Splunk platform architecture – search tier, indexer tier, forwarder tier – without any negative impact. Splunk recommends installing Splunk-supported add-ons across your entire Splunk platform deployment, then enabling and configuring inputs only where they are required.
For example, if you install an add-on to your indexer tier, but the add-on does not have any index-time functionality, it does no harm to have it there. Add-on packages do not take up significant room on disk, so you can safely install them across your architecture.
Be sure to follow the specific configuration instructions for each individual add-on, and be aware of any limitations regarding using a deployment server.
If you prefer to install add-ons only to the locations they are required, consult the installation instructions for each individual add-on, which indicate where your add-on must be installed in order to work in a distributed architecture. Each add-on differs depending on what it contains, as shown in the diagram below.
- Add-ons that contain search-time functionality, such as dashboards, prebuilt panels, saved searches, macros, tags, data models, and lookups, need to be installed on your search heads.
- Add-ons that contain data manipulation functionality, usually in
transforms.conffiles, should be installed on search heads, indexers, and forwarders, because that data manipulation could apply at various phases in the data pipeline: parsing, indexing, or search. Unless you are certain of where the data manipulation functions of the add-on occur, install it across all tiers of your architecture.
- Add-ons that contain inputs belong on forwarders, and in some select cases also on search heads. Inputs that contain dynamic lookups need to be installed on search heads because they feed results back into the input directly from the search. Consult the documentation of the add-on for special instructions.
For more information about how Splunk software components correlate to phases in the data pipeline, see Configuration parameters and the data pipeline in the Splunk Enterprise documentation.
The remaining sections in this chapter describe how to install an add-on in various deployment scenarios and to specific parts of your architecture.
About installing Splunk add-ons
Install an add-on in a single-instance Splunk Enterprise deployment
This documentation applies to the following versions of Splunk® Supported Add-ons: released