Case:-
Splunk enterprise server version 6.1
Lets say I have around 100 production servers with Universal forwarders installed and I intent to forward the performance logs from these servers to my splunk server. My query is can I install the apps(say splunk app for windows or any other) available on splunkbase on these 100 servers to collect and forward the logs to splunk server?
Hi,
the splunk app for windows (now called splunk app for windows infrastructure) or the splunk app for unix contains so called technical addons. You can deploy these on your 100 forwarders, for example with the deployment server, and use them on the forwarders. The rest of the app must be installed on the search heads.
you can also use other apps with the universal forwarders, but most of the time you only need the inputs on the universalforwarder, the rest is done by the indexer or the search head.
Here is a nice overview of where you have to install the components of the splunk app for windows infrastructure:
Greetings
Tom
Hi,
the splunk app for windows (now called splunk app for windows infrastructure) or the splunk app for unix contains so called technical addons. You can deploy these on your 100 forwarders, for example with the deployment server, and use them on the forwarders. The rest of the app must be installed on the search heads.
you can also use other apps with the universal forwarders, but most of the time you only need the inputs on the universalforwarder, the rest is done by the indexer or the search head.
Here is a nice overview of where you have to install the components of the splunk app for windows infrastructure:
Greetings
Tom
Thanks Tom for the Reply.
So I understand that if I have a distributed splunk installation setup with deployment server, indexers,search head servers and UF on the servers which I intent to monitor, I will have to install add-on apps on Forwarders that gives me readymade Inputs.conf files with the appropriate stanzas of configurations and the complete app on searchhead servers?.
Say for example theres an app for enterprise security on splunkbase and I read on website that It needs splunk enterprise and on top of it this app has to be installed. In case where I have the 100 servers with Universal forwarders I will have to search for an add-on app for enterprise security?
Hi,
the first part of your comment is right. But there are of course apps, that do not need add ons, it always depends on the app itself and the purpose of the app. There are also apps that only provides new visualizations for dashboards. But over all you are right.
For the second part of your comment:
The Splunk App for Enterprise Security is a quite complex app. But over all it works the same way. There are add ons that you can install on your forwarders. You dont have to search that much for the add ons on the splunk base website. Typically the add ons are shipped with the app itself or they are mentioned in the documentation of the app. For example the add ons for the enterprise security app are listed here:
http://docs.splunk.com/Documentation/ES/latest/Install/InstallTechnologyAdd-ons
Greetings
Tom
Thanks Tom. Your reply was very helpful and it cleared my doubts.