All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using and configuring Add-ons

wemb
Explorer
‎03-30-2020 01:03 PM

So, I'm looking at deploying the Splunk *nix Add-on to allow us to gather some data from some linux servers.

I don't wan't the incoming data to end up in the default index, so I've created a new index on our Index cluster, and I've added a new local/inputs.conf to override the Add-on's default input.conf. This has been deployed to a server I'm monitoring and everything is working fine.

However, I'm a it confused as to what I need to do with the instance of the add-on that 's supposed to be installed on the search head and indexers. I don't need these to input any data at all (at least, not from the splunk servers they're sitting on). The documentation says I do need these to run on the indexers as I'm using a universal forwarder and not a heavy forwarder - though I'm not sure why.

Do I need to do anything about the inputs.conf? I don't want the instance on the indexers or search head to index the splunk servers. Do I need to apply the add-on as is? The Add-on with my custom inputs.conf, or in someway otherwise alter it? The documentation doesn't seem to mention anything along these lines.

Thanks
Dave

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-30-2020 01:31 PM

Install the add-on in all three places, however inputs.conf should be inactive on the indexers and search heads. You can do that by using local/inputs.conf to disable all inputs not disabled by default or by removing default/inputs.conf.
The add-on is needed on the indexers so they know how to parse the data and extract any index-time fields.
The add-on is needed on the search heads to extract search-time fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...