Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where should I install Splunk addon in distributed environment?

Dinesh1811
New Member
‎06-06-2023 09:18 AM

I need to install an splunk addon into my splunk distributed environment.

The aaddon contains modular scripted inputs to pull the data and store it into a custom index.

I need you help to understand where should I install this addon.. what if  i install it on all the tiers (hf,indexer, sh..) and enable the input only in HF? Will the indexer receive data?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-07-2023 02:24 PM

Firstly, learn what is in the app.

If it's a Splunk-supported add-on, it should have a fairly well written installation instructions containing, among other things, specification of where to install the add-on and how to configure it.

If it's an independently developed one - well, you're more or less on your own. There are some good practices and conventions but not everyone follows them. For example, a good practice would be to define modular inputs as disabled by default so the app itself can be easily distributed to all tiers and the input would only need to be enabled where it's needed. But I've seen apps which came with modular inputs enabled by default so you have to be watchful. I never install third-party apps in productio  without a thorough review of its content.

A well-written app would be pretty ok with being installed on all tiers (UF, possible intermedate forwarder, indexer, search head). Settings unneeded at given layer (like search-time extractions on indexers or parsing settings on UF) would simply get ignored.

Things that could be problematic are the ones that modify the "state" of the environment like said modular inputs, index definitions, scheduled searches.

Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-06-2023 10:51 AM

Hi

it depends what else you have in this add on? If it contains only input part, then no need to install it elsewhere than HF. But if it contains also props + transforms definitions then you should instal it also to SH layer.

More about installing add ons https://docs.splunk.com/Documentation/AddOns/released/Overview/Installingadd-ons

r. Ismo

0 Karma
Reply

Dinesh1811
New Member
‎06-06-2023 11:30 AM

How about indexer...the addon contains custom indexes. Conf?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-06-2023 12:31 PM

Normally add ons shouldn’t contain index definition. You should create separate package called SA-something for store index definition. You should remember that in different environments there are different naming standards etc. for that reason it’s better to create index definitions as separately. Also add that information inside macro on TA side or otherwise easily configured. Of course you must add index definitions on input side too, but try to do it also as easily configured as possible. 

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...