The THOR Add-on contains all event types, field extractions, transforms, tags and lookups for the THOR Splunk App. If you use Splunk as a simple Syslog Receiver you have to install the new THOR Add-on and the new THOR App on that system. If you use Splunk Forwarders to collect your data, you can now deploy the THOR Add-on on the Forwarders with the Deployment Manager and the lightweight THOR App on the Search Head. Steps to get data into the Splunk App: Use sourcetype='thor' for all your inputs (files/udp/tcp) Recommendation: Create an index named 'thor' and add this index to the base event type definition (Settings > Event Types > 'thor_events'): sourcetype=thor AND index=thor