The installation instructions I have read are for standalone. What are the installation instructions for a distributed Splunk Enterprise environment? Does the app need to be installed on search heads, indexers, and/or forwarders?
Yes, in a distributed deployment, you need to stall the Splunk Add-on for Blue Coat ProxySG to your search heads, indexers, and forwarders. If you are using heavy forwarders to collect data with this add-on, the index-time operations occur there, so you do not need to install the add-on to your indexers in this deployment scenario.