Splunk® Universal Forwarder

Forwarder Manual

Download manual as PDF

Download topic as PDF

Upgrade the Windows universal forwarder

When you upgrade a universal forwarder, the installer updates the software without changing its configuration. You must make any necessary configuration changes after you complete the upgrade. A deployment server can assist in the configuration update process.

There are several forwarder upgrade scenarios:

  • You can upgrade a single forwarder with the GUI installer
  • You can upgrade a single forwarder with the command line installer
  • You can perform a remote upgrade of a group of forwarders (good for deployments of any size)

Prerequisites to upgrading a universal forwarder

Confirm that you understand or have all of the following prior to upgrading a forwarder.

Confirm that an upgrade is necessary

Before you upgrade, consider whether you really need to. In most cases, you do not have to upgrade a forwarder. Forwarders are always compatible with later versions of indexers, so you do not need to upgrade them just because you have upgraded the indexers that they send data to.

A case where you might need to upgrade a forwarder is if a later version of the forwarder includes a feature that is not available in the installed forwarder version.

You must perform any platform architecture changes manually

You cannot upgrade a 32-bit version of the universal forwarder with a 64-bit universal forwarder installer. To upgrade from 32-bit to 64-bit, follow these instructions:

  1. Back up your configurations, including any apps or add-ons (in %SPLUNK_HOME%\etc\apps). Also back up the checkpoint files located in %SPLUNK_HOME%\var\lib\modinputs.
  2. Uninstall the existing 32-bit forwarder, as described in Uninstall the universal forwarder.
  3. Install the 64-bit forwarder, as described in Install the universal forwarder from an installer.
  4. Restore apps, configurations and checkpoints by copying them to the appropriate directories:
%SPLUNK_HOME%\etc\system\local for configuration files.
%SPLUNK_HOME%\etc\apps for apps and add-ons.
%SPLUNK_HOME%\var\lib\modinputs for checkpoint files.

Back your files up

Before you perform an upgrade, back up configuration files. See Back up configuration information in the Splunk Enterprise Admin manual.

There is no means of downgrading to a previous version. If you need to revert to an older forwarder release, uninstall the current version and reinstall the older release.

Upgrade a single forwarder using the GUI installer

You can upgrade a single forwarder with the GUI installer. The installer stops the forwarder as part of the upgrade process.

  1. Download the new MSI file from the universal forwarder download page.
  2. Double-click the MSI file. The installer displays the "Accept license agreement" panel.
  3. Accept the license agreement and click "Install." The installer upgrades the forwarder, retains the existing configuration, and starts automatically when you complete the installation.

The installer puts a log of upgrade changes in the %TEMP% directory (This is usually the C:\TEMP directory but can be different based on your Windows machine configuration.) It also reports any errors in the Application Event Log.

Upgrade a single forwarder using the command line

You can upgrade a single forwarder by running the command line installer. To upgrade a group of forwarders, load the command line installer into a deployment tool such as Group Policy or System Center Configuration Manager, as described in Perform a remote upgrade.

You cannot make configuration changes during an upgrade. The installer ignores any command line flags that you specify except for the AGREETOLICENSE flag.

  1. Download the new MSI file from the Splunk universal forwarder download page.
  2. Run msiexec.exe to Install the universal forwarder from the command line.
    • For 32-bit platforms, use splunkuniversalforwarder-<...>-x86-release.msi.
          msiexec.exe /i splunkuniversalforwarder-<...>-x86-release.msi [AGREETOLICENSE=Yes /quiet]
    
    • For 64-bit platforms, use splunkuniversalforwarder-<...>-x64-release.msi.
          msiexec.exe /i splunkuniversalforwarder-<...>-x64-release.msi [AGREETOLICENSE=Yes /quiet]
    

    The value of <...> varies according to the particular release, for example, splunkuniversalforwarder-6.3.0-aa7d4b1ccb80-x64-release.msi.

  3. Wait for the upgrade to complete. The forwarder starts automatically when you complete the installation.

The installer puts a log of upgrade changes in the %TEMP% directory. It also reports any errors in the Application Event Log.

Perform a remote upgrade of one or more forwarders

You can use a deployment tool such as Group Policy or System Center Configuration Manager to distribute the forwarder software among a group of forwarders in your environment. You might want to test the upgrade locally on one machine before performing a remote upgrade across all your forwarders.

See Upgrade using the command line, for details on the command line syntax to use in the deployment tool.

The Splunk Enterprise deployment server cannot distribute the universal forwarder, only its apps and configurations. Do not attempt to use deployment server to distribute universal forwarders.

  1. Download the new MSI file from the Splunk universal forwarder download page.
  2. Load the MSI into your deployment tool. In the tool, specify the command line as follows.
       msiexec.exe /i splunkuniversalforwarder-<...>.msi AGREETOLICENSE=Yes /quiet
    
  3. Start the deployment with your deployment tool.
  4. Use the deployment monitor to verify that the universal forwarders function properly.
PREVIOUS
Supported CLI commands
  NEXT
Upgrade the *nix universal forwarder

This documentation applies to the following versions of Splunk® Universal Forwarder: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.1.0, 7.1.1, 7.1.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters