"The easiest play [way?] is to just install it everywhere they recommend it." Indeed, and that may be what the http://docs.splunk.com/Documentation/UnixAddOn/5.2.4/User/DeploytheSplunkAdd-onforUnixandLinuxinadistributedSplunkenvironment page indicates, but this is undermined by e.g.
http://docs.splunk.com/Documentation/UnixApp/5.2.3/User/WhataSplunkAppforUnixandLinuxdeploymentlookslike which clearly shows a supposedly working deployment with no Splunk_TA_nix on the indexer/search head.
On the other hand, http://docs.splunk.com/Documentation/UnixApp/5.2.3/User/DeploytheSplunkAppforUnixandLinuxinadistributedSplunkenvironment , under "Steps to building a Splunk App for Unix and Linux deployment", step 6 states the add-on is to be installed on the search heads.
The http://docs.splunk.com/Documentation/UnixAddOn/5.2.4/User/Platformandhardwarerequirements page is not about "compatibility", it's about requirements. If the add-on were not required on the search head, the app would work without it. It does not.
When Splunk_TA_nix is installed on a forwarder, it uses index=os, right? And the App, on its Settings page, clearly shows Unix Index(es) = "index=os" (by default). So it does not appear (to me , at least) that it's a matter of index naming. It appears to be some sort of data conversion or labelling black magic that the add-on does. Keep in mind that a newbie like me considers Splunk as a big black box: installation instructions and application advisories should be written appropriately. It was very frustrating to install the app (without Splunk_TA_nix on the search head) and have absolutely no clue as to what was broken. Splunk was not telling me what needed fixing.
... View more