Upgrading a forwarder from 2.x to 3.x
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Upgrading a forwarder from 2.x to 3.x
The procedure for upgrading a Splunk forwarder from 2.x to 3.x is identical to that of any Splunk install, with a few additional steps.
Note: This procedure assumes you have set the $SPLUNK_HOME environment variable. To do this, execute the following command (where pathtoSplunk = the path to your Splunk install).
-
source pathtoSplunk/bin/setSplunkEnv
To upgrade a forwarder from 2.x to 3.x
- Follow the procedures for upgrading Splunk 2.x to 3.x.
- Patch
splunkd.xml.
# Go to the directory containing splunkd.xml.
-
cd $SPLUNK_HOME/etc/myinstall
-
# Apply the patch for forwarders to splunkd.xml.
-
patch -p0 < /path/to/splunkd.xml-2.x-3.x-forwarder.patch
-
- Convert
config.xmltooutputs.conf.
# Go to the TCP directory.
-
cd $SPLUNK_HOME/etc/modules/output/TCP.
-
# Execute the following command:
-
$SPLUNK_HOME/bin/splunk _internal configfix-fwd config.xml -save-to $SPLUNK_HOME/etc/bundles/local/outputs.conf
-
- Rename
config.xmland toconfig.xml.old(to have a back-up).
-
mv config.xml config.xml.old
-
- If you have enabled local indexing, add the key
indexAndForward=trueunder the[tcpout]stanza in outputs.conf. If you haven't enabled local indexing, skip this step.
- Start Splunk.
Your upgrade is now complete.
This documentation applies to the following versions of Splunk: 3.1.4 View the Article History for its revisions.