Related Answers
Download topic as PDF
Deploy the Splunk Add-on for CEF Output to indexers
Use the following tables to determine where and how to install this add-on in a Splunk platform deployment, then follow the instructions to install the add-on.
Prerequisite: Follow the procedure in Define CEF mappings and output groups with the Splunk App for CEF to produce and download the Splunk Add-on for CEF Output.
Plan your installation
Where to install the add-on
Use the following table to determine where to install this Splunk Add-on for CEF Output in a Splunk platform distributed deployment. This add-on is not included in your initial download of the Splunk App for CEF. Instead, the Splunk App for CEF creates the add-on for you after you map your data and define your output groups.
| Splunk instance type | Install here? | Comments |
|---|---|---|
| Search Heads | No | The add-on should be installed on indexers only. |
| Indexers | Yes | Install this add-on on your indexers. |
| Forwarders | No | The add-on does not contain inputs for forwarder data collection. |
Distributed deployment feature compatibility
Use the following table to check the compatibility of the app and add-on with Splunk platform distributed deployment features.
| Distributed deployment feature | Supported | Comments |
|---|---|---|
| Search Head Clusters | Yes | The Splunk Add-on for CEF Output is supported in environments with search head clusters, but you do not need to install the Splunk Add-on for CEF Output to search heads. |
| Indexer Clusters | Yes | Use the master node to deploy the Splunk Add-on for CEF Output to the peer nodes. See Manage app deployment across all peers in Managing Indexers and Clusters of Indexers. |
| Deployment Server | Yes | The add-on can be installed to unclustered indexers using the deployment server. |
Install the add-on
After you complete the steps in Define CEF mappings and output groups with the Splunk App for CEF, the app creates the Splunk Add-on for CEF Output that you can download. Save the downloaded .spl file to an accessible location, and install it using your preferred method.
The following installation options are for Splunk Enterprise only.
- If you want to use the deployment server to distribute the package to multiple indexers, see Deploy apps to clients in Updating Splunk Enterprise Instances.
- If you have an indexer cluster, use a master node to deploy it to peer nodes. See Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.
- If you want to install the file directly, use the following procedure.
- Log in to your indexer.
- From the Splunk Web home view, click the gear icon next to Apps.
- Click Install App from file.
- On the Upload app page, click Choose file and navigate to the add-on file.
- Click Upload.
- Click Done.
- Repeat these steps for each indexer.
If, at any time, you change the output groups used for any enabled search, you must download the Splunk Add-on for CEF Output again and redeploy it to your indexers. Making any other changes to the CEF searches does not require redeployment of the add-on.
|
PREVIOUS Define CEF mappings and output groups with the Splunk App for CEF |
NEXT Troubleshoot the Splunk App for CEF |
This documentation applies to the following versions of Splunk® App for CEF: 2.1.0, 2.2.0, 2.3.0
Feedback submitted, thanks!