All Apps and Add-ons

Using and configuring Add-ons

wemb
Explorer

So, I'm looking at deploying the Splunk *nix Add-on to allow us to gather some data from some linux servers.

I don't wan't the incoming data to end up in the default index, so I've created a new index on our Index cluster, and I've added a new local/inputs.conf to override the Add-on's default input.conf. This has been deployed to a server I'm monitoring and everything is working fine.

However, I'm a it confused as to what I need to do with the instance of the add-on that 's supposed to be installed on the search head and indexers. I don't need these to input any data at all (at least, not from the splunk servers they're sitting on). The documentation says I do need these to run on the indexers as I'm using a universal forwarder and not a heavy forwarder - though I'm not sure why.

Do I need to do anything about the inputs.conf? I don't want the instance on the indexers or search head to index the splunk servers. Do I need to apply the add-on as is? The Add-on with my custom inputs.conf, or in someway otherwise alter it? The documentation doesn't seem to mention anything along these lines.

Thanks
Dave

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Install the add-on in all three places, however inputs.conf should be inactive on the indexers and search heads. You can do that by using local/inputs.conf to disable all inputs not disabled by default or by removing default/inputs.conf.
The add-on is needed on the indexers so they know how to parse the data and extract any index-time fields.
The add-on is needed on the search heads to extract search-time fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...