Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

The Add-Ons

mohsplunking
Path Finder
‎01-07-2024 03:58 PM

Hello Splunkers,

I have an Architecture related question if someone can help with it please.

My Architecture is like , Log Source(Linux Server)> Heavy Forwarder>Indexer 

Lets say I'm on-boarding a New log source, When I'm installing an UF on my Linux server , it connects back to my Deployment Server and get the APP(Linux TA) and the output.conf APP which is basically my Heavy Forwarder details. Now my question is Do I need to have the same Linux_TA installed on my Heavy Forwarder And Indexer too ? Or as long as this TA is on Log source, it is sufficient.

Hope I have explained well.

Thanks for looking into this and I greatly appreciate your input.

regards,

Moh. 

 

Labels (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-08-2024 01:24 AM

Adding to what @gcusello and @richgalloway already said, if it's a standard Splunk-supported app (I suppose by TA_Linux you mean the TA_nix but I can't be 100% sure), it will have its own docs page saying on which components it should/can be installed.

If it's a third-party supplied independently written app it might have such doc page as well.

Generally speaking, Splunk apps contain settings which can be active on various components (either in search-time or in index-time) but if an app is properly written (and as far as I remember, there are checks which make sure that you can upload to Splunkbase a badly written app; at least badly written in this context), you can typically deploy your app on all tiers and each tier will only "use" the part of the app which applies to said tier.

So your app may contain:

1) Input/output definitions - in an Splunkbase-supplied app they will be set as disabled by default; you have to explicitly enable them so if you just deploy an app with disabled inputs, they won't do anything anywhere. Of course if you're deploying your own custom app with enabled inputs or ouptuts they will try to do their job whenever they are deployed

2) Index-time props/transforms settings - they will be active either on the initial forwarder (if applicable - like EVENT_BREAKER settings) or on the first "heavy" (based on full Splunk Enterprise installation) component in event's path (except ingest-actions; they will be performed after the initial parsing as well but that's a story for another day ;-)). Splunk will happily ignore them in search-time

3) search-time props/transforms settings - they will be active only on search-heads. You can safely deploy them to components active during ingestion phase (HFs and indexers) and they will simply be ignored in ingestion pipeline

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-07-2024 11:25 PM

Hi @mohsplunking ,

as @richgalloway said, you should install the Add-On also on the HF because the parsing is done on it.

The installation on the Indexer depends on your architecture:

  • if you have also one or more Search Heads, you don't need to install the Add-On on the Indexers, but your must install it on the SHs.
  • If instead your Indexer is a Stand Alone server (in other words it's an Indexer and a Search Head), you have to install the Add-On on the Indexer.

Ciao.

Giuseppe

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-07-2024 05:00 PM

It depends on the results you want.  If you expect the TA to extract fields for you then it must be installed on the HF.  If you don't care about field extractions then just install the TA on the UF.

Either way, the TA does not need to be installed on the indexer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...