Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

What is the difference between apps, add-ons and TAs and where/when do you use them?

bnolf
Engager
‎10-13-2016 06:14 AM

What is the difference between apps, add-ons and TAs? Which ones should be installed on the search heads and which ones on the indexers. Currently, we don't want anything on the lower system since we are only sending log files to the indexers. But it would be nice to have different apps/add-ons to view this data. If you can recommend apps/add-ons for Windows security logs and Linux audit logs that would be great. I would like to set up SOS on the DMC, and if I'm correct, a TA for SOS needs to be installed on the indexers. All the indexers are Linux/Red Hat system that we want to monitor, so help on this would be great.

thanks

Reply

dstonecypher_sp
Splunk Employee
Splunk Employee
‎10-13-2016 12:55 PM

If you are using splunk 6.3 or later, SOS is deprecated. You should use the Distributed Management Console (DMC) instead. Note this is now the Monitoring Console (MC) in 6.5.

So, a Splunk app is a bundle of config files. Maybe a script or two. Maybe some html or django.

An "App" is an app that provides a front end for visualizing data.

And "Add-on" is an app that provides back end functionality. This can be running scripts to gather data from APIs, data parsing config, entirely new Splunk functionality in the form of new visualizations or new commands, etc.

A "TA" is a technology add-on. These are sometimes for gathering data from APIs, and universally for parsing data. Splunk certified or written TAs will conform to the CIM.

Addons usually go on the indexers and search heads. Apps go on the search head only. This is a generalization, and there are other cases where this is different, and also leaves out heavy forwarders.

For windows and linux logs, you will want at minimum the windows and linux TAs:
https://splunkbase.splunk.com/app/742/
https://splunkbase.splunk.com/app/833/
*These two TAs provide scripted inputs, so they will need to go on your forwarders as well as your indexers and search heads.

Reply

sloshburch
Ultra Champion
‎02-04-2019 02:10 PM

Splexicon Definitions:
- App
- Add-on

General guidance and documentation regarding Add-ons and how to deploy them is available within the Splunk Add-ons manual. A full library of documentation by Add-on is available at Splunk® Supported Add-ons.

0 Karma
Reply

ppablo
Retired
‎10-13-2016 01:04 PM

As a supplement, here's the topic in Splunk Documentation on the differences between apps and add-ons:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Whatsanapp

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...