
Where should I install Splunk addon in distributed environment?

New Member

I need to install an splunk addon into my splunk distributed environment.

The aaddon contains modular scripted inputs to pull the data and store it into a custom index.

I need you help to understand where should I install this addon.. what if  i install it on all the tiers (hf,indexer, sh..) and enable the input only in HF? Will the indexer receive data?

Labels (1)
0 Karma


Firstly, learn what is in the app.

If it's a Splunk-supported add-on, it should have a fairly well written installation instructions containing, among other things, specification of where to install the add-on and how to configure it.

If it's an independently developed one - well, you're more or less on your own. There are some good practices and conventions but not everyone follows them. For example, a good practice would be to define modular inputs as disabled by default so the app itself can be easily distributed to all tiers and the input would only need to be enabled where it's needed. But I've seen apps which came with modular inputs enabled by default so you have to be watchful. I never install third-party apps in productio  without a thorough review of its content.

A well-written app would be pretty ok with being installed on all tiers (UF, possible intermedate forwarder, indexer, search head). Settings unneeded at given layer (like search-time extractions on indexers or parsing settings on UF) would simply get ignored.

Things that could be problematic are the ones that modify the "state" of the environment like said modular inputs, index definitions, scheduled searches.



it depends what else you have in this add on? If it contains only input part, then no need to install it elsewhere than HF. But if it contains also props + transforms definitions then you should instal it also to SH layer.

More about installing add ons

r. Ismo

0 Karma

New Member

How about indexer...the addon contains custom indexes. Conf?

0 Karma


Normally add ons shouldn’t contain index definition. You should create separate package called SA-something for store index definition. You should remember that in different environments there are different naming standards etc. for that reason it’s better to create index definitions as separately. Also add that information inside macro on TA side or otherwise easily configured. Of course you must add index definitions on input side too, but try to do it also as easily configured as possible. 

Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...