Splunk® Enterprise

Admin Manual

Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

App deployment overview

This topic provides an overview of the methods you can use to deploy Splunk apps and add-ons in common Splunk software environments.

For more detailed app and add-on deployment information, see your specific Splunk app documentation, or see Where to install Splunk add-ons in the Splunk Add-ons manual.

Prerequisites

You must have an existing Splunk platform deployment on which to install Splunk apps and add-ons.

Deployment methods

There are several ways to deploy apps and add-ons to the Splunk platform. The correct deployment method to use depends on the following characteristics of your specific Splunk software deployment:

  • Deployment architecture (single-instance or distributed)
  • Cluster types (search head clusters and/or indexer clusters)
  • Location (on-premise or in Splunk Cloud)

Guided Data Onboarding

Guided Data Onboarding (GDO) provides end-to-end guidance for getting specific data sources into specific Splunk platform deployments. You must have a Splunk deployment up and running and if you have an admin or equivalent role so that you can install add-ons.

From your home page in Splunk Web, find the data onboarding guides by clicking Add Data. You can either search for a data source or explore different categories of data sources. After you select your data source, you select a deployment scenario. From there you can view diagrams and high-level steps to set up and to configure your data source.

Splunk Web links to documentation that explains how to set up and configure your data source in greater detail. You can find all the Guided Data Onboarding manuals by clicking the Add data tab on the Splunk Enterprise Documentation site.

Deployment architectures

There are two basic Splunk Enterprise deployment architectures:

  • Single-instance deployment: In a single-instance deployment, one Splunk Enterprise instance acts as both search head and indexer.
  • Distributed deployment: A distributed deployment can include multiple Splunk Enterprise components, including search heads, indexers, and forwarders. See Scale your deployment with Splunk Enterprise components in the Distributed Deployment Manual. A distributed deployment can also include standard individual components and/or clustered components, including search head clusters, indexer clusters, and multi-site clusters. See Distributed Splunk Enterprise overview in the Distributed Deployment Manual.

Single-instance deployment

To deploy an app on a single instance, download the app from Splunkbase to your local host, then install the app using Splunk Web.

Some apps currently do not support installation through Splunk Web. Make sure to check the installation instructions for your specific app prior to installation.

Distributed deployment

You can deploy apps in a distributed environment using the following methods:

  • Install apps manually on each component using Splunk Web, or install apps manually from the command line.

Alternately, you can deploy apps using a third-party configuration management tool, such as:

  • Chef
  • Puppet
  • Salt
  • Windows configuration tools

For the most part, you must install Splunk apps on search heads, indexers, and forwarders. To determine the Splunk Enterprise components on which you must install the app, see the installation instructions for the specific app.

Deploy apps to clusters

Splunk distributed deployments can include these cluster types:

You deploy apps to both indexer and search head cluster members using the configuration bundle method.

Search head clusters

To deploy apps to a search head cluster, you must use the deployer. The deployer is a Splunk Enterprise instance that distributes apps and configuration updates to search head cluster members. The deployer cannot be a search head cluster member and must exist outside the search head cluster. See Use the deployer to distribute apps and configuration updates in the Distributed Search manual.

Caution: Do not deploy a configuration bundle to a search head cluster from any instance other then the deployer. If you run the apply shcluster-bundle command on a non-deployer instance, such as a cluster member, the command deletes all existing apps and user-generated content on all search head cluster members!

Indexer clusters

To deploy apps to peer nodes (indexers) in an indexer cluster, you must first place the apps in the proper location on the indexer cluster master, then use the configuration bundle method to distribute the apps to peer nodes. You can apply the configuration bundle to peer nodes using Splunk Web or the CLI. For more information, see Update common peer configurations and apps in Managing Indexers and Clusters of Indexers.

While you cannot use the deployment server to deploy apps to peer nodes, you can use it to distribute apps to the indexer cluster master. For more information, see Use deployment server to distribute apps to the master in Managing Indexers and Clusters of Indexers.

Deploy apps to Splunk Cloud

If you want to deploy an app or add-on to Splunk Cloud, see Install apps in your Splunk Cloud deployment.

Last modified on 27 April, 2021
Where to get more apps and add-ons   App architecture and object ownership

This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters