Splunk® Enterprise

Updating Splunk Enterprise Instances

Upgrade pre-9.2 deployment servers

Aspects of the deployment server have been significantly enhanced in 9.2 to improve performance and manageability. In addition, the improvements enable multiple deployment servers to coordinate their activities in a deployment server cluster, as described in Implement a deployment server cluster.

Because of these architectural improvements, deployment server upgrades spanning the 9.2 release automatically undergo a number of changes to implement these improvements. For standalone deployment servers, no action is necessary on the part of the user beyond the normal process of upgrading a Splunk Enterprise instance, as the changes are implemented in an entirely automatic fashion. In addition, deployment clients, including pre-9.2 clients, continue to operate seamlessly with the updated deployment servers.

However, if you examine the standalone deployment server's directories, you will notice some differences. In particular, there is a new system-generated app, etc/apps/SplunkDeploymentServerConfig, which contains configuration files necessary to the proper functioning of the deployment server. Do not alter this directory or its files in any way. Note that this app is not a deployment app and so does not reside in etc/deployment-apps.

In addition, the system places new configurations in savedsearches.conf and macros.conf. Do not edit these system-generated configurations.

There are also some new logs generated by the deployment server in response to client phone home activities. These are placed in the client_events directory, new with 9.2.

Possible issues with upgrade

Data not appearing in forwarder management UI following upgrade

This problem can occur if your deployment server forwards its data to a standalone indexer or to the peer nodes of an indexer cluster. To rectify, add these settings to outputs.conf on the deployment server:

[indexAndForward]
index = true
selectiveIndexing = true     

If you add these settings post-upgrade, you might need to restart the deployment server.

Indexers require new internal deployment server indexes

The deployment server uses several internal indexes new to 9.2. These indexes are included in all indexers at the 9.2 level and above, but if you try to forward data from those indexes to a pre-9.2 indexer, problems can result.

To avoid problems, create these new internal deployment server indexes in indexes.conf on any pre-9.2 indexers in your environment:

[_dsphonehome]
[_dsclient]
[_dsappevent]

If the indexers are at version 9.2 or above, they will already be configured with those indexes.

If you add those indexes to peer nodes on an indexer cluster, be sure to set repFactor = auto, as you must for all peer node indexes.

Data does not appear when forwarded through an intermediate forwarder

This problem can occur if your deployment server forwards its internal index data through an intermediate forwarder to a standalone indexer or to the peer nodes of an indexer cluster. To rectify, add this setting to outputs.conf on the intermediate forwarder:

[tcpout] 
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker|_dsclient|_dsphonehome|_dsappevent)

If you specify the configuration within a deployment app and use the deployment server to deploy the app to the affected intermediate forwarders, you can later uninstall the app when the intermediate forwarders are upgraded to a future release that incorporates the update.

Last modified on 27 February, 2024
Plan a deployment   Configure deployment clients

This documentation applies to the following versions of Splunk® Enterprise: 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters