Installation

Where should I install Splunk addon in distributed environment?

Dinesh1811
New Member

I need to install an splunk addon into my splunk distributed environment.

The aaddon contains modular scripted inputs to pull the data and store it into a custom index.

I need you help to understand where should I install this addon.. what if  i install it on all the tiers (hf,indexer, sh..) and enable the input only in HF? Will the indexer receive data?

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Firstly, learn what is in the app.

If it's a Splunk-supported add-on, it should have a fairly well written installation instructions containing, among other things, specification of where to install the add-on and how to configure it.

If it's an independently developed one - well, you're more or less on your own. There are some good practices and conventions but not everyone follows them. For example, a good practice would be to define modular inputs as disabled by default so the app itself can be easily distributed to all tiers and the input would only need to be enabled where it's needed. But I've seen apps which came with modular inputs enabled by default so you have to be watchful. I never install third-party apps in productio  without a thorough review of its content.

A well-written app would be pretty ok with being installed on all tiers (UF, possible intermedate forwarder, indexer, search head). Settings unneeded at given layer (like search-time extractions on indexers or parsing settings on UF) would simply get ignored.

Things that could be problematic are the ones that modify the "state" of the environment like said modular inputs, index definitions, scheduled searches.

isoutamo
SplunkTrust
SplunkTrust

Hi

it depends what else you have in this add on? If it contains only input part, then no need to install it elsewhere than HF. But if it contains also props + transforms definitions then you should instal it also to SH layer.

More about installing add ons https://docs.splunk.com/Documentation/AddOns/released/Overview/Installingadd-ons

r. Ismo

0 Karma

Dinesh1811
New Member

How about indexer...the addon contains custom indexes. Conf?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Normally add ons shouldn’t contain index definition. You should create separate package called SA-something for store index definition. You should remember that in different environments there are different naming standards etc. for that reason it’s better to create index definitions as separately. Also add that information inside macro on TA side or otherwise easily configured. Of course you must add index definitions on input side too, but try to do it also as easily configured as possible. 

Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...