All Apps and Add-ons

Splunk Add-on for Microsoft Windows: Which components should I deploy the add-on to?


We have a distributed Splunk environment. We are using a universal forwarder to get logs from a Windows server. Deployment server is being used to deploy apps to different components. To which components should I deploy the Splunk Add-on for Microsoft Windows?

0 Karma

Esteemed Legend

It depends but the general answer is "probably everywhere except for linux forwarders". See here:

0 Karma

Ultra Champion

hello there,

start here:
and read thoroughly through the doc
it explains in detail where each component (TA / app / SA) should be
the TA for windows itself should be on all splunk components, Forwarder, indexer and Search Head.
also on the Deployment Server (in /etc/deployment-apps) if you use it to push to forwarders.
hope it helps

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!