Skip to content

Quick Install Reference

A single matrix mapping every Splunkbase add-on, prerequisite, and LogServ component to the tier(s) where each gets installed. Use this as a pre-install checklist; for full install steps see the per-package pages linked from each row.

Package Matrix

Single-instance Splunk

For a single-instance Splunk deployment (one host playing every role), install every required app on that one host. The matrix below is for distributed topologies — column headings refer to specific tiers. SH = Search Head, IDX = Indexer, HFs = Heavy Forwarders, DS = Deployment Server.

App Splunkbase Required? SH IDX HFs DS
LogServ Data TA (splunk_ta_sap_logserv) this repo required ✓ (indexes.conf) ✓ (via DS) ✓ (filter UI)
LogServ App (splunk_app_sap_logserv) this repo required
Splunk Add-on for Unix and Linux 833 required (CIM)
Splunk Add-on for Microsoft Windows 742 required (CIM)
Splunk Add-on for Squid Proxy 2965 required (CIM)
Splunk Add-on for ISC BIND 2876 required (CIM)
Splunk Add-on for AWS 1876 required if SAP ECS in AWS ✓ (S3 inputs)
Splunk MCP Server 7931 v1.1.0+ required for AI Assistant
Splunk AI Assistant 200 recommended companion to 7931

Notes

  • Indexer rationale. The Data TA goes on the indexer because it bundles indexes.conf. See Why does the Data TA need to go on the Indexer? for the trade-off + opt-out path.
  • CIM add-ons (Unix/Linux, Windows, Squid, ISC BIND). Install on every tier where the Data TA installs so sourcetype definitions resolve consistently. Splunkbase’s AppInspect rules require these as declared dependencies.
  • AWS Add-on (1876). Only needed when SAP ECS data lives in AWS S3. The TA owns the SQS-based S3 inputs that pull data from the dest bucket; the LogServ Data TA then sourcetype-routes events as they’re parsed on HFs. The actual index = sap_logserv_logs setting that sends events to the right place lives in this TA’s S3 input config — not in the LogServ Data TA.
  • MCP Server (7931). Required for the AI Assistant’s predefined-prompt path even when the LLM-driven path is disabled. Without it, the AI Assistant chat panel can’t dispatch saved searches.
  • Splunk AI Assistant (200). The LogServ App uses only the core splunk_run_saved_search and splunk_run_query MCP tools (which work standalone against 7931), but App 200 follows Splunk’s documented co-install pattern and unlocks saia_*-prefixed MCP tools that may be used in future LogServ releases.

Per-Topology Checklists

Single Splunk instance

Install all required + recommended apps on the same instance. Splunk auto-creates both indexes (sap_logserv_logs + _ai_assistant_audit) when the Data TA loads on first start.

Distributed (DS + HFs + on-prem SH+IDX)

Tier Install
Search Head LogServ App, MCP Server (7931), Splunk AI Assistant (200), CIM add-ons (Unix/Linux, Windows, Squid, ISC BIND)
Indexer LogServ Data TA (provides indexes.conf for both indexes), CIM add-ons
Deployment Server LogServ Data TA (manages filter UI + pushes Data TA to HFs), CIM add-ons
Heavy Forwarders Receive LogServ Data TA via the DS automatically. Install the AWS add-on (1876) directly + CIM add-ons.

Distributed (DS + HFs + Splunk Cloud SH)

Tier Install
Splunk Cloud Search Head LogServ App, MCP Server (7931), Splunk AI Assistant (200), CIM add-ons
Splunk Cloud Indexer tier Splunk Cloud admin handles. Either (a) install the LogServ Data TA there to use the bundled index defs, OR (b) the Cloud admin manually creates sap_logserv_logs and _ai_assistant_audit via the Splunk Cloud UI — see Why does the Data TA need to go on the Indexer?.
Deployment Server LogServ Data TA, CIM add-ons
Heavy Forwarders Receive LogServ Data TA via the DS. Install AWS add-on (1876) directly + CIM add-ons.

Next Steps