Getting Data In

What is the difference between apps, add-ons and TAs and where/when do you use them?


What is the difference between apps, add-ons and TAs? Which ones should be installed on the search heads and which ones on the indexers. Currently, we don't want anything on the lower system since we are only sending log files to the indexers. But it would be nice to have different apps/add-ons to view this data. If you can recommend apps/add-ons for Windows security logs and Linux audit logs that would be great. I would like to set up SOS on the DMC, and if I'm correct, a TA for SOS needs to be installed on the indexers. All the indexers are Linux/Red Hat system that we want to monitor, so help on this would be great.


Splunk Employee
Splunk Employee

If you are using splunk 6.3 or later, SOS is deprecated. You should use the Distributed Management Console (DMC) instead. Note this is now the Monitoring Console (MC) in 6.5.

So, a Splunk app is a bundle of config files. Maybe a script or two. Maybe some html or django.

An "App" is an app that provides a front end for visualizing data.

And "Add-on" is an app that provides back end functionality. This can be running scripts to gather data from APIs, data parsing config, entirely new Splunk functionality in the form of new visualizations or new commands, etc.

A "TA" is a technology add-on. These are sometimes for gathering data from APIs, and universally for parsing data. Splunk certified or written TAs will conform to the CIM.

Addons usually go on the indexers and search heads. Apps go on the search head only. This is a generalization, and there are other cases where this is different, and also leaves out heavy forwarders.

For windows and linux logs, you will want at minimum the windows and linux TAs:
*These two TAs provide scripted inputs, so they will need to go on your forwarders as well as your indexers and search heads.

Splunk Employee
Splunk Employee

Splexicon Definitions:
- App
- Add-on

General guidance and documentation regarding Add-ons and how to deploy them is available within the Splunk Add-ons manual. A full library of documentation by Add-on is available at Splunk® Supported Add-ons.

0 Karma


As a supplement, here's the topic in Splunk Documentation on the differences between apps and add-ons:

Get Updates on the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...