Splunk® User Behavior Analytics

Send and Receive Data from the Splunk Platform

Deploy the Splunk Add-on for Splunk UBA

Determine where and how to install this add-on in your distributed deployment using the information on this page.

The Splunk Add-on for UBA is not available for download on Splunkbase. The add-on is installed by default with Splunk Enterprise Security (ES). See How do I obtain the Splunk Add-on for Splunk UBA?

Where to install this add-on

Depending on your environment, your preferences, and the requirements of the add-on, you might need to install the add-on in multiple places.

To deploy it alongside Splunk Enterprise Security, see Deploy add-ons to Splunk Enterprise Security in the Splunk Enterprise Security Installation and Upgrade Manual.

Splunk instance type Supported Required Comments
Search Heads Yes Yes This add-on is installed on the search head when you install Enterprise Security.
Indexers Yes Yes This add-on includes two indexes and index-time configurations.
Heavy Forwarders Yes No All forwarder types are supported.
Universal Forwarders Yes No All forwarder types are supported.

Distributed deployment feature compatibility

This table describes the compatibility of this add-on with Splunk distributed deployment features.

Distributed deployment feature Supported Details
Search Head Clusters Yes Changes made during setup must be manually deployed.
Indexer Clusters Yes This add-on contains indexes.
Deployment Server Yes Supported for deploying the configured add-on to multiple nodes.
Last modified on 07 December, 2023
Requirements for using the Splunk Add-on for Splunk UBA   Integrate Splunk ES and Splunk UBA with the Splunk Add-on for Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4,, 5.0.5,, 5.1.0,, 5.2.0, 5.2.1, 5.3.0, 5.4.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters