Getting Data In

Does splunk apps available on splunkbase work with splunk universal forwarders?

manmah4u
Explorer

Case:-
Splunk enterprise server version 6.1

Lets say I have around 100 production servers with Universal forwarders installed and I intent to forward the performance logs from these servers to my splunk server. My query is can I install the apps(say splunk app for windows or any other) available on splunkbase on these 100 servers to collect and forward the logs to splunk server?

Tags (1)
0 Karma
1 Solution

tom_frotscher
Builder

Hi,

the splunk app for windows (now called splunk app for windows infrastructure) or the splunk app for unix contains so called technical addons. You can deploy these on your 100 forwarders, for example with the deployment server, and use them on the forwarders. The rest of the app must be installed on the search heads.

you can also use other apps with the universal forwarders, but most of the time you only need the inputs on the universalforwarder, the rest is done by the indexer or the search head.

Here is a nice overview of where you have to install the components of the splunk app for windows infrastructure:

http://docs.splunk.com/Documentation/MSApp/latest/MSInfra/HowtodeploytheSplunkAppforWindowsInfrastru...

Greetings

Tom

View solution in original post

0 Karma

tom_frotscher
Builder

Hi,

the splunk app for windows (now called splunk app for windows infrastructure) or the splunk app for unix contains so called technical addons. You can deploy these on your 100 forwarders, for example with the deployment server, and use them on the forwarders. The rest of the app must be installed on the search heads.

you can also use other apps with the universal forwarders, but most of the time you only need the inputs on the universalforwarder, the rest is done by the indexer or the search head.

Here is a nice overview of where you have to install the components of the splunk app for windows infrastructure:

http://docs.splunk.com/Documentation/MSApp/latest/MSInfra/HowtodeploytheSplunkAppforWindowsInfrastru...

Greetings

Tom

0 Karma

manmah4u
Explorer

Thanks Tom for the Reply.

So I understand that if I have a distributed splunk installation setup with deployment server, indexers,search head servers and UF on the servers which I intent to monitor, I will have to install add-on apps on Forwarders that gives me readymade Inputs.conf files with the appropriate stanzas of configurations and the complete app on searchhead servers?.

Say for example theres an app for enterprise security on splunkbase and I read on website that It needs splunk enterprise and on top of it this app has to be installed. In case where I have the 100 servers with Universal forwarders I will have to search for an add-on app for enterprise security?

0 Karma

tom_frotscher
Builder

Hi,

the first part of your comment is right. But there are of course apps, that do not need add ons, it always depends on the app itself and the purpose of the app. There are also apps that only provides new visualizations for dashboards. But over all you are right.

For the second part of your comment:
The Splunk App for Enterprise Security is a quite complex app. But over all it works the same way. There are add ons that you can install on your forwarders. You dont have to search that much for the add ons on the splunk base website. Typically the add ons are shipped with the app itself or they are mentioned in the documentation of the app. For example the add ons for the enterprise security app are listed here:

http://docs.splunk.com/Documentation/ES/latest/Install/InstallTechnologyAdd-ons

Greetings

Tom

0 Karma

manmah4u
Explorer

Thanks Tom. Your reply was very helpful and it cleared my doubts.

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...