Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

If I need an Add-On like for VMware ESXI Logs, do I install that on the UF or request installation in Splunk Cloud?

skeer007
Explorer
‎08-31-2022 05:55 AM

I have a Universal Forwarder accepting syslog traffic from multiple sources.  The UF forwards up to indexers in Splunk Cloud.
My question is two-fold:   If I need an Add-On like for VMware ESXI Logs. Do I install that on the UF or request installation in Splunk Cloud?

And if the latter, how does my UF know that I can now use any new sourcetypes?  I've read through the installation notes on a few Add-Ons and have not seen mention of how new sourcetypes are used outside of the server or instance the add-on is directly isntalled.

 

Thanks!

Labels (2)
0 Karma
Reply

skeer007
Explorer
‎08-31-2022 06:33 AM

Ok that all makes sense, So knowing what sourcetypes are available from an add-on depends on how well it's documented I guess? 

Hmm, so your comment about UF rarely using add-ons.. I guess that's why I haven't really seen "Forwarders" mentioned often in the details for add-ons. Are TA's usually different? Looking at this one: https://splunkbase.splunk.com/app/3662/ and it specifically mentions forwarders.  

Did I make this harder than it really is?  🙂

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2022 08:07 AM

A well-documented add-on will list the sourcetypes it makes available.  For others, download it and look in the default/props.conf file.

TA and add-on are different terms for the same thing.  TA is short for "technical add-on".

Some add-on do have to be installed on forwarders.  The instructions should say when that's the case, but when an add-on uses a third-party API then it probably should be installed on a forwarder.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2022 06:23 AM

Usually, there's no harm in installing an add-on on a UF, although the UF rarely uses them.  They're more likely to be needed on indexers and search heads, however.  The installation instructions for the add-on should specify where it should be installed.

The UF doesn't know if any particular add-on is installed on the indexers or not.  Don't enable an input that needs an add-on until that add-on is ready.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...