App deployment overview
This topic provides an overview of the methods you can use to deploy Splunk apps and add-ons in common Splunk software environments.
For more detailed app and add-on deployment information, see your specific Splunk app documentation, or see Where to install Splunk add-ons in the Splunk Add-ons manual.
You must have an existing Splunk platform deployment on which to install Splunk apps and add-ons.
There are several ways to deploy apps and add-ons to the Splunk platform. The correct deployment method to use depends on the following characteristics of your specific Splunk software deployment:
- Deployment architecture (single-instance or distributed)
- Cluster types (search head clusters and/or indexer clusters)
- Location (customer-managed Splunk Enterprise or hosted Splunk Cloud Platform)
Guided Data Onboarding
Guided Data Onboarding (GDO) provides end-to-end guidance for getting specific data sources into specific Splunk platform deployments. You must have a Splunk deployment up and running and if you have an admin or equivalent role so that you can install add-ons.
From your home page in Splunk Web, find the data onboarding guides by clicking Add Data. You can either search for a data source or explore different categories of data sources. After you select your data source, you select a deployment scenario. From there you can view diagrams and high-level steps to set up and to configure your data source.
Splunk Web links to documentation that explains how to set up and configure your data source in greater detail. You can find all the Guided Data Onboarding manuals by clicking the Add data tab on the Splunk Enterprise Documentation site.
There are two basic Splunk Enterprise deployment architectures:
- Single-instance deployment: In a single-instance deployment, one Splunk Enterprise instance acts as both search head and indexer.
- Distributed deployment: A distributed deployment can include multiple Splunk Enterprise components, including search heads, indexers, and forwarders. See Scale your deployment with Splunk Enterprise components in the Distributed Deployment Manual. A distributed deployment can also include standard individual components and/or clustered components, including search head clusters, indexer clusters, and multi-site clusters. See Distributed Splunk Enterprise overview in the Distributed Deployment Manual.
To deploy an app on a single instance, download the app from Splunkbase to your local host, then install the app using Splunk Web.
Some apps currently do not support installation through Splunk Web. Make sure to check the installation instructions for your specific app prior to installation.
You can deploy apps in a distributed environment using the following methods:
- Install apps manually on each component using Splunk Web, or install apps manually from the command line.
- Install apps using the deployment server. The deployment server automatically distributes new apps, app updates, and certain configuration updates to search heads, indexers, and forwarders. See About deployment server and forwarder management in Updating Splunk Enterprise Instances.
Alternately, you can deploy apps using a third-party configuration management tool, such as:
- Windows configuration tools
For the most part, you must install Splunk apps on search heads, indexers, and forwarders. To determine the Splunk Enterprise components on which you must install the app, see the installation instructions for the specific app.
Deploy apps to clusters
Splunk distributed deployments can include these cluster types:
You deploy apps to both indexer and search head cluster members using the configuration bundle method.
Search head clusters
To deploy apps to a search head cluster, you must use the deployer. The deployer is a Splunk Enterprise instance that distributes apps and configuration updates to search head cluster members. The deployer cannot be a search head cluster member and must exist outside the search head cluster. See Use the deployer to distribute apps and configuration updates in the Distributed Search manual.
Caution: Do not deploy a configuration bundle to a search head cluster from any instance other then the deployer. If you run the
apply shcluster-bundle command on a non-deployer instance, such as a cluster member, the command deletes all existing apps and user-generated content on all search head cluster members!
To deploy apps to peer nodes (indexers) in an indexer cluster, you must first place the apps in the proper location on the indexer cluster manager node, then use the configuration bundle method to distribute the apps to peer nodes. You can apply the configuration bundle to peer nodes using Splunk Web or the CLI. For more information, see Update common peer configurations and apps in Managing Indexers and Clusters of Indexers.
While you cannot use the deployment server to deploy apps to peer nodes, you can use it to distribute apps to the indexer cluster manager node. For more information, see Use deployment server to distribute apps to the manager node in Managing Indexers and Clusters of Indexers.
Deploy apps to Splunk Cloud Platform
If you want to deploy an app or add-on to Splunk Cloud Platform, see Install apps in your Splunk Cloud Platform deployment.
Where to get more apps and add-ons
App architecture and object ownership
This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4
Feedback submitted, thanks!