1. Installing OPSWAT MetaAccess Splunk Add-on

This Add-on is supported on all tiers of a distributed Splunk platform deployment and also on standalone Splunk instances. The table below provides a reference for installing the add-on in a distributed Splunk deployment:

Splunk instance type

Supported

Required

Comments

Search Heads

Yes

No

All the data parsing will be done on heavy forwarder only.

Indexers

Yes

No

All data parsing will be done on heavy forwarder only.

Heavy Forwarders

Yes

Yes

This Add-on supports only heavy forwarder for data collection.

Universal Forwarder

No

No

This Add-on contains Python Scripts to make API calls, hence not supported on Universal Forwarder

You can follow the below steps to install the OPSWAT MetaAccess Add-on for Splunk

  1. Download the Add-on from Splunkbase here

  2. Install the Add-on on your Heavy Forwarder of distributed deployment, you can also install it on IDM if you are on Splunk Cloud.
    2.1 Login to Splunk server and go to “Manage Apps”, select “install app from File” button and upload the bundle downloaded in step 1.
    2.2 Alternatively, you can also extract the bundle in the backend at $SPLUNK_HOME/etc/apps, where $SPLUNK_HOME is your splunk installation directory.

  3. After installation, restart the Splunk service.

You can find more details on how to install an add-on based on your deployment type below: