Distributed Deployment Manual

 


Upgrade your deployment

Upgrade the universal forwarder for *nix systems

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Upgrade the universal forwarder for *nix systems

This topic describes the procedure for upgrading your Splunk universal forwarder from version 4.2+ to a later 4.2.x version.

Important: Before doing an upgrade, consider whether you really need to. In most cases, there's no compelling reason to upgrade a forwarder. Forwarders are always compatible with later version indexers, so you do not need to upgrade them just because you've upgraded the indexers they're sending data to.

This topic describes two upgrade scenarios:

  • Upgrade a single forwarder manually
  • Perform a remote upgrade of a group of forwarders

For deployments of any size, you will most likely want to use this second scenario.

Before you upgrade

Be sure to read this section before performing an upgrade.

Back your files up

Before you perform the upgrade, we strongly recommend that you back up your Splunk configuration files. For information on backing up configurations, read "Back up configuration information" in the Admin manual.

Splunk does not provide a means of downgrading to a previous version; if you need to revert to an older forwarder release, just reinstall it.

How upgrading works

When you upgrade, your configuration files are not actually changed until you start the forwarder after performing the installation of the new version. You can run the migration preview utility at that time to see what will be changed before the files are updated. If you choose to view the changes before proceeding, a file containing the changes that the upgrade script proposes to make is written to $SPLUNK_HOME/var/log/splunk/migration.log.<timestamp>

Upgrade a single forwarder

1. Execute the stop command:

     $SPLUNK_HOME/bin/splunk stop

Important: Make sure no other processes will start the forwarder automatically (such as Solaris SMF).

2. Install the Splunk package over your existing Splunk deployment:

  • If you are using a .tar file, expand it into the same directory with the same ownership as your existing universal forwarder instance. This overwrites and replaces matching files but does not remove unique files.
  • If you are using a package manager, such as an RPM, type rpm -U <splunk_package_name>.rpm
  • If you are using a .dmg file (on MacOS), double-click it and follow the instructions. Be sure to specify the same installation directory as your existing installation.
  • If you use init scripts, be sure to include the following so the EULA gets accepted:
      ./splunk start --accept-license

3. Execute the start command:

     $SPLUNK_HOME/bin/splunk start

The following output is displayed:

This appears to be an upgrade of Splunk.
--------------------------------------------------------------------------------
Splunk has detected an older version of Splunk installed on this machine. To
finish upgrading to the new version, Splunk's installer will automatically
update and alter your current configuration files. Deprecated configuration
files will be renamed with a .deprecated extension.
You can choose to preview the changes that will be made to your configuration
files before proceeding with the migration and upgrade:
If you want to migrate and upgrade without previewing the changes that will be
made to your existing configuration files, choose 'y'.
If you want to see what changes will be made before you proceed with the
upgrade, choose 'n'.
Perform migration and upgrade without previewing configuration changes? [y/n]

4. Choose whether you want to run the migration preview script to see what changes will be made to your existing configuration files, or proceed with the migration and upgrade right away.

5. If you choose to view the expected changes, the script provides a list.

6. Once you've reviewed these changes and are ready to proceed with migration and upgrade, run $SPLUNK_HOME/bin/splunk start again.

Note: You can complete Steps 3 to 5 in one line:

  • To accept the license and view the expected changes (answer 'n') before continuing the upgrade:
      $SPLUNK_HOME/bin/splunk start --accept-license --answer-no
  • To accept the license and begin the upgrade without viewing the changes (answer 'y'):
      $SPLUNK_HOME/bin/splunk start --accept-license --answer-yes

Perform a remote upgrade

To upgrade a group of forwarders across your environment:

1. Upgrade the universal forwarder on a test machine, as described above.

2. Create a script wrapper for the upgrade commands, as described in "Remotely deploy a nix universal forwarder with a static configuration". You will need to modify the sample script to meet the needs of an upgrade.

3. Run the script on representative target machines to verify that it works with all required shells.

4. Execute the script against the desired set of hosts.

5. Use the deployment monitor to verify that the universal forwarders are functioning properly.

This documentation applies to the following versions of Splunk: 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!