There isn't a "one size fits all" solution. Ad.1 True, the add-on does seem to contain search-time definitions. Submit a feedback on the documentation page. It works 🙂 Ad.2 Typically, well written add-ons will have inputs defined but disabled by default. So you can push your app with the default settings and enable the input you want either by placing proper settings in app's local directory or by creating another app. But I don't trust any non-splunk supported apps and review all apps before deployment. Ad.3 If the app is properly written - see above - you can push the whole app to all needed tiers. Unused configurations will be... well, unused. OK, if some app needs a huge blob of code to run or something like that, you might reconsider splitting it up into smaller chunks. I would probably have the app with default settings in default directory and overwrite the settings in local directory before pushing to indexers/SHs/forwarders. Unless there were specific settings, for example, pushed differently to different classes of forwarders. Then I'd probably split the local settings into several apps. As I said - there is no one "right" choice. It's up to you to make it easy to understand, convenient to manage and cheap to maintain. If you get some convention, stick to it so that a person which comes to maintain the environment after you've been struck by a bus is not surprised too many times 😉
... View more
