What is the difference between apps, add-ons and TAs? Which ones should be installed on the search heads and which ones on the indexers. Currently, we don't want anything on the lower system since we are only sending log files to the indexers. But it would be nice to have different apps/add-ons to view this data. If you can recommend apps/add-ons for Windows security logs and Linux audit logs that would be great. I would like to set up SOS on the DMC, and if I'm correct, a TA for SOS needs to be installed on the indexers. All the indexers are Linux/Red Hat system that we want to monitor, so help on this would be great.
If you are using splunk 6.3 or later, SOS is deprecated. You should use the Distributed Management Console (DMC) instead. Note this is now the Monitoring Console (MC) in 6.5.
So, a Splunk app is a bundle of config files. Maybe a script or two. Maybe some html or django.
An "App" is an app that provides a front end for visualizing data.
And "Add-on" is an app that provides back end functionality. This can be running scripts to gather data from APIs, data parsing config, entirely new Splunk functionality in the form of new visualizations or new commands, etc.
A "TA" is a technology add-on. These are sometimes for gathering data from APIs, and universally for parsing data. Splunk certified or written TAs will conform to the CIM.
Addons usually go on the indexers and search heads. Apps go on the search head only. This is a generalization, and there are other cases where this is different, and also leaves out heavy forwarders.
General guidance and documentation regarding Add-ons and how to deploy them is available within the Splunk Add-ons manual. A full library of documentation by Add-on is available at Splunk® Supported Add-ons.