Comparison of the Splunk App for Unix and Linux components
This topic describes the difference between the Splunk App, Splunk Add-on, and Supporting Add-on for Unix and Linux.
During the course of the development of the app, Splunk customers asked us for Unix and Linux knowledge and inputs packaged separately from the Splunk Web user interface components that are present in the full app. This request was often made in order to facilitate use on light or universal forwarders, or when the primary use case for Unix and Linux data is to correlate with other data sources in an app other than Splunk for Unix and Linux.
The app, add-on, and supporting add-on share the same common knowledge and input base, and have been put into the same installation package. The add-on also comes in its own installation package.
Following is a table that compares basic features of the app and add-on:
| Feature | App | Add-on | Supporting Add-on |
|---|---|---|---|
| Has a user interface for Splunk Web | Yes | Setup only, on full Splunk instances only | No |
| Provides reports/saved searches and macros to the app | N/A | No | Yes |
| Can be deployed on full Splunk instances | Yes | Yes | Yes (but must be installed with the app to function) |
| Can be deployed on light and universal forwarders | No* (The package installs, but does not run) | Yes | No |
| Can be installed on Windows Splunk instances | Yes* (All data inputs must be disabled) | Yes, on search heads and indexers only (but all data inputs must be disabled) | Yes* (All data inputs must be disabled) |
| Can provide data to other Splunk applications | Yes | Yes | No |
| About the Splunk Supporting Add-on for Unix and Linux | New to Splunk? |
This documentation applies to the following versions of Splunk® App for Unix and Linux (Legacy): 5.0.1, 5.0.2, 5.0.3, 5.1.0
Download manual
Feedback submitted, thanks!