Apps and Add-Ons are part of the Splunk ecosystem to help users extend the functionality of the tool. The naming convention seems to confuse people, so let’s do a quick overview.
I don’t like using words like “usually” or “typically” in definitions, but in this case, it’s necessary. The terminology has some gray areas, and people use the terms interchangeably.
Splunk Apps
Splunk Apps are usually a collection of front-end components like dashboards, reports, and alerts. Once installed, they typically don’t require any additional configuration to start using them. They also tend to accompany an Add-On.
Example Splunk Apps:
- Splunk Security Essentials
- Splunk Dashboard Examples
- Splunk App for AWS Security Dashboards (This is an app that accompanies the Splunk Add-On for AWS)
Splunk Add-Ons
Splunk Add-Ons are typically used to collect data, parse it, and normalize it. Apart from configuration pages, they typically don’t have any front-end components. Once installed, you usually need to configure them to start using them. You might also hear them referred to as “TA” (Technology Add-On).
Example Splunk Add-Ons:
- Splunk Add-on for Microsoft Windows
- Splunk Add-on for Unix and Linux
- Splunk Add-on for AWS (The data pulled in by this Add-On can be visualized using the Splunk App for AWS Security Dashboards)
Summary
At the end of the day, there is no hard line between what an App and an Add-On can do. Many people use the terms interchangeably. The key takeaway is that Apps usually have front-end components, while Add-Ons are more focused on data collection and normalization. If you hear someone say the term “App”, “Add-On”, or “TA”, they’re talking about a installed package that extends Splunk’s functionality.