First, do NOT enable all ES correlation searches.  That will cause more problems than it will solve.  Enable only the correlation searches that pertain to your use cases and for which you have data ingested in Splunk.

Where a TA should be installed depends on what the TA does.  The installation instructions for the TA should specify the location.  If it doesn't use the "Where to install" I link I provided earlier.  Generally speaking, it can't hurt to install a TA on both indexers and UFs.

Splunkbase is the source for most Splunk TAs.  Others can be downloaded from the vendors that created them for their products.  Still others are available from GitHub.  It can be difficult to locate a TA without knowing the name, however.  What do you want the TA to do?  Perhaps we can help you find something appropriate.

can u share the TA UF, specifically used for ES?
Or the download link or any helpful screenshot

There is no UF add-on specific to ES.  ES can produce an add-on for your indexers, but that method can be used only in limited circumstances.  See https://docs.splunk.com/Documentation/ES/7.2.0/Install/InstallTechnologyAdd-ons#Deploy_add-ons_to_fo... for when it can be used and alternatives for other environments.  I recommend manual installation of add-ons.

Again - there is no such thing as "add on for UF". There are several different add-ons (which you install on various components of your Splunk Infrastructure, including UFs) needed for specific solution you want to ingest data from.

So if you want to process logs from Checkpoint firewalls, you use TA for Checkpoint. If you get logs from Proofpoint you install UF for Proofpoint. And so on.

So if i have 50 devices i need to install the TA on all 50? lets assume cisco, fortinet, palo alto ...
So its not enough installing TA on idexers and already such devices are sending the logs to the indexer?

TA_for_indexers contains only the installation part needed for indexers (definition of indexes) that are needed for ES to work. But it's just so that ES on its own is "fully installed".

Apart from that Splunk (and ES too) needs to know how to work with specific types of data provided by various kinds of sources. That's what TAs for those sources are for.

So yes, if you have 40 _types_ of devices, you might need 40 different TAs. Often TAs contain definitions, parsing rules and CIM-mappings for multiple sources from a single vendor (so you might not need to have a separate TA for every single type of Juniper firewalls, just a single TA able to parse JunOS events).

ok much clear,

i have cisco switches, tried to search for that Add-on but with no luck. I can see cisco ESA, WSA, ISE ... but not IOS as switches or routers?

Moreover, installation tab is empty they are not includes the installation steps

any advise here?

i am using splunk fully on prem - no cloud option

as per documentation TA to be installed on UF, you can refer to below link

https://community.splunk.com/t5/Security/Universal-Forwarder-Technology-Add-On/m-p/669359#M17403

As i understood, TA to be installed on Indexers (already done) and on UF

Thanks

The link provided is to this question, not to any documentation.

If the TA is already installed on the indexers then you have what you need.  Just install the same TA on the forwarders.

https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall

here is the correct link

no one mentioned that it is the same TA for both, did you tried this before?
As per documentation it should be downloaded directly from splunkbase, but can't find it. The only thing i found is "Splunk-add-on-for-windows" but not sure if that's it or not

thanks

There's a lot of Splunk documentation so I understand why you don't have all the information yet.  See https://docs.splunk.com/Documentation/AddOns/released/Overview/Wheretoinstall for tips on where to install TAs.  The instructions that come with the TA are the best guide, however.

Splunkbase apps should be obtained directly from Splunkbase rather than via 3rd-party sources that may not be reputable.  However, once you've downloaded the TA it does not need to be downloaded again until a new version is available.  The one downloaded copy may be installed as many times as you wish.

It's a general method of installing addons. You need addons for your particular sources.