Skip to content

Install the Splunk Add-on for AWS in a distributed Splunk Enterprise deployment

If you are using a distributed Splunk Enterprise deployment, follow the instructions in each of the following sections to deploy the Splunk Add-on for Amazon Web Services (AWS) to your search heads, indexers, and forwarders. You must install the Splunk Add-on for AWS on a heavy forwarder. You cannot use this add-on with a universal forwarder. You can install this add-on onto search heads and indexers.

Heavy forwarders

To install the Splunk Add-on for AWS to a heavy forwarder, follow these steps:

  1. Download the Splunk Add-on for AWS from Splunkbase, if you have not already done so.
  2. From the Splunk Web home screen on your heavy forwarder, click the gear icon next to Apps.
  3. Click Install app from file.
  4. Locate the downloaded file and click Upload.
  5. If the forwarder prompts you to restart, do so.
  6. Verify that the add-on appears in the list of apps and add-ons. You can also find it on the server at $SPLUNK_HOME/etc/apps/Splunk_TA_AWS.

Search heads

To install the Splunk Add-on for AWS to a search head, follow these steps:

  1. Download the Splunk Add-on for AWS from Splunkbase, if you have not already done so.
  2. From the Splunk Web home screen, click the gear icon next to Apps.
  3. Click Install app from file.
  4. Locate the downloaded file and click Upload.
  5. If Splunk Enterprise prompts you to restart, do so.
  6. Verify that the add-on appears in the list of apps and add-ons.

Make sure the add-on is not visible. If the Visible column for the add-on is set to Yes, edit the properties and change the visibility to No. Disable visibility of add-ons on search heads to avoid inputs from being created on search heads. Data collection for search heads might conflict with users’ search activity.

You can also find the add-on on the server at $SPLUNK_HOME/etc/apps/Splunk_TA_AWS.

Search head clusters

Before deploying the Splunk Add-on for AWS to a search head cluster, make the following changes to the add-on package:

  1. Remove the inputs.conf and inputs.conf.spec files. If you are collecting data locally from the machines running your search head nodes, keep these files.
  2. Use the deployer to deploy an add-on to the search head cluster members.

See Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search manual.

Indexers

To install the Splunk Add-on for AWS to an indexer, follow these steps:

  1. Download the Splunk Add-on for AWS from Splunkbase, if you have not already done so.
  2. Unpack the .tgz package.
  3. Place the resulting Splunk_TA_AWS folder in the $SPLUNK_HOME/etc/apps directory on your indexer.
  4. Restart the indexer.

Indexer clusters

  1. Remove the inputs.conf and inputs.conf.spec files. If you are collecting data locally from the machines running your indexer nodes, keep these files.
  2. Deploy add-ons to peer nodes on indexer clusters using a master node.

For more information about using a master node to deploy to peer nodes of an indexer cluster, see Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.