Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

If I need an Add-On like for VMware ESXI Logs, do I install that on the UF or request installation in Splunk Cloud?

skeer007
Explorer
‎08-31-2022 05:55 AM

I have a Universal Forwarder accepting syslog traffic from multiple sources.  The UF forwards up to indexers in Splunk Cloud.
My question is two-fold:   If I need an Add-On like for VMware ESXI Logs. Do I install that on the UF or request installation in Splunk Cloud?

And if the latter, how does my UF know that I can now use any new sourcetypes?  I've read through the installation notes on a few Add-Ons and have not seen mention of how new sourcetypes are used outside of the server or instance the add-on is directly isntalled.

 

Thanks!

Labels (2)
0 Karma
Reply

skeer007
Explorer
‎08-31-2022 06:33 AM

Ok that all makes sense, So knowing what sourcetypes are available from an add-on depends on how well it's documented I guess? 

Hmm, so your comment about UF rarely using add-ons.. I guess that's why I haven't really seen "Forwarders" mentioned often in the details for add-ons. Are TA's usually different? Looking at this one: https://splunkbase.splunk.com/app/3662/ and it specifically mentions forwarders.  

Did I make this harder than it really is?  🙂

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2022 08:07 AM

A well-documented add-on will list the sourcetypes it makes available.  For others, download it and look in the default/props.conf file.

TA and add-on are different terms for the same thing.  TA is short for "technical add-on".

Some add-on do have to be installed on forwarders.  The instructions should say when that's the case, but when an add-on uses a third-party API then it probably should be installed on a forwarder.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2022 06:23 AM

Usually, there's no harm in installing an add-on on a UF, although the UF rarely uses them.  They're more likely to be needed on indexers and search heads, however.  The installation instructions for the add-on should specify where it should be installed.

The UF doesn't know if any particular add-on is installed on the indexers or not.  Don't enable an input that needs an add-on until that add-on is ready.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...