If developing a new Splunk application, should we prefer creating two separate components, i.e. app and addon or a single bundle? What are the pros and cons? What is the recommended way?
Apps are normally for GUI stuff / search heads (dashboards, lookups, etc...)
Add-ons are for knowledge objects, props, transforms, inputs, etc...
If you were to create an add-on that only made a sourcetype CIM compliant, there would be no need for a GUI and, therefore, putting it all in one add-on would be best.
If you wanted to include dashboards, putting the dashboards in an app, and the props/transforms in an add-on, would be best. The admins wouldn't have to install the GUI configs on the indexers, and you could update the two independently.