Splunk Product Editions (SKUs) Supported by uberAgent
Splunk comes in multiple product editions:
- Splunk Enterprise
- Splunk Cloud
- Splunk Free
- Splunk Light (discontinued as of 2020-05-01)
Splunk Enterprise, Splunk Free, and Splunk Light are hosted on-premises while Splunk Cloud is hosted by Splunk.
Out of these SKUs, Splunk Enterprise and Splunk Cloud are fully supported by uberAgent.
After installation, Splunk operates in Enterprise mode for 60 days after the installation. After that, it reverts to Free mode if no license is added.
During the 60-day trial period, Splunk is restricted to a daily data volume of 500 MB per day.
To be used in Splunk Cloud, a customer needs to file a Splunk support ticket to get the uberAgent apps installed. The cloud vetting team will then review the apps and approve them for Splunk Cloud installation.
The following apps are available in Splunk Cloud:
After the uberAgent apps have been installed in your Splunk Cloud environment, some manual actions need to be taken. This knowledgebase article contains all the necessary details.
uberAgent generally works well with Splunk Free except for one thing: Splunk bug SPL-40332 breaks not the initial creation but the update of CSV lookup tables. To workaround that we had to replace the
action.populate_lookup in a saved search. That, however, is a feature not enabled with Splunk Free.
As a result, uberAgent does not work correctly on Splunk Free until SPL-40332 has been fixed in a future version of Splunk.
However, using this workaround the lookup table can be generated manually.
Splunk Light has a very limited feature set that does not even include the installation of apps (see Splunk Light vs. Splunk Enterprise). Due to these limitations, uberAgent cannot work with Splunk Light.