Splunk® App for CEF

Deploy and Use Splunk App for CEF

Download manual as PDF

Download topic as PDF

Deploy the Splunk Add-on for CEF Output to indexers

Use the following tables to determine where and how to install this add-on in a Splunk platform deployment, then follow the instructions to install the add-on.

Prerequisite: Follow the procedure in Define CEF mappings and output groups with the Splunk App for CEF to produce and download the Splunk Add-on for CEF Output.

Plan your installation

Where to install the add-on

Use the following table to determine where to install this Splunk Add-on for CEF Output in a Splunk platform distributed deployment. This add-on is not included in your initial download of the Splunk App for CEF. Instead, the Splunk App for CEF creates the add-on for you after you map your data and define your output groups.

Splunk instance type Install here? Comments
Search Heads No The add-on should be installed on indexers only.
Indexers Yes Install this add-on on your indexers.
Forwarders No The add-on does not contain inputs for forwarder data collection.

Distributed deployment feature compatibility

Use the following table to check the compatibility of the app and add-on with Splunk platform distributed deployment features.

Distributed deployment feature Supported Comments
Search Head Clusters Yes The Splunk Add-on for CEF Output is supported in environments with search head clusters, but you do not need to install the Splunk Add-on for CEF Output to search heads.
Indexer Clusters Yes Use the master node to deploy the Splunk Add-on for CEF Output to the peer nodes. See Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.
Deployment Server Yes The add-on can be installed to unclustered indexers using the deployment server.

Install the add-on

After you complete the steps in Define CEF mappings and output groups with the Splunk App for CEF, the app creates the Splunk Add-on for CEF Output that you can download. Save the downloaded .spl file to an accessible location, and install it using your preferred method.

The following installation options are for Splunk Enterprise only.

  • If you want to use the deployment server to distribute the package to multiple indexers, see Deploy apps to clients in Updating Splunk Enterprise Instances.
  • If you want to install the file directly, use the following procedure.
  1. Log in to your indexer.
  2. From the Splunk Web home view, click the gear icon next to Apps.
  3. Click Install App from file.
  4. On the Upload app page, click Choose file and navigate to the add-on file.
  5. Click Upload.
  6. Click Done.
  7. Repeat these steps for each indexer.

If, at any time, you change the output groups used for any enabled search, you must download the Splunk Add-on for CEF Output again and redeploy it to your indexers. Making any other changes to the CEF searches does not require redeployment of the add-on.

Last modified on 17 January, 2019
PREVIOUS
Define CEF mappings and output groups with the Splunk App for CEF
  NEXT
Troubleshoot the Splunk App for CEF

This documentation applies to the following versions of Splunk® App for CEF: 2.1.0, 2.2.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters