If you are using splunk 6.3 or later, SOS is deprecated. You should use the Distributed Management Console (DMC) instead. Note this is now the Monitoring Console (MC) in 6.5.
So, a Splunk app is a bundle of config files. Maybe a script or two. Maybe some html or django.
An "App" is an app that provides a front end for visualizing data.
And "Add-on" is an app that provides back end functionality. This can be running scripts to gather data from APIs, data parsing config, entirely new Splunk functionality in the form of new visualizations or new commands, etc.
A "TA" is a technology add-on. These are sometimes for gathering data from APIs, and universally for parsing data. Splunk certified or written TAs will conform to the CIM.
Addons usually go on the indexers and search heads. Apps go on the search head only. This is a generalization, and there are other cases where this is different, and also leaves out heavy forwarders.
For windows and linux logs, you will want at minimum the windows and linux TAs:
https://splunkbase.splunk.com/app/742/
https://splunkbase.splunk.com/app/833/
*These two TAs provide scripted inputs, so they will need to go on your forwarders as well as your indexers and search heads.
... View more