Upgrade to Splunk App for VMware 3.4.4
Step 1: Download the files from Splunkbase
- Download the Splunk App for VMware version 3.4.4 from Splunkbase to a location in your environment.
- Download the Splunk Add-on for for VMware version 3.4.4 from Splunkbase to a location in your environment.
- Download the Splunk OVA for VMware version 3.4.4 from Splunkbase to a location in your environment.
Step 2: Upgrade scheduler
Note: Make sure splunk_vmware_admin role has admin_all_objects capability.
- Stop your Scheduler. You can do this by stopping the Splunk platform on your Splunk search head, or you can stop the scheduler in the Collection Configuration page of your deployment.
- Overwrite splunk_TA_vmware, SA-Hydra and SA-VMNetAppUtils on your scheduler with new versions.
- Delete splunk_for_vmware, Splunk_TA_esxilogs, Splunk_TA_vcenter, SA-VMW-Performance, SA-VMW-LogEventTask, SA-VMW-HierarchyInventory, SA-VMWIndex and TA-VMW-FieldExtractions from your scheduler.
- (Optional) If you are using your scheduler to collect data and want to keep the Splunk App for VMware running, then install and upgrade all app components.
Step 3: Upgrade forwarder (DCN)
Note: Make sure splunk_vmware_admin role has admin_all_objects capability.
- Verify that your DCN components are the same as the components on your vCenter.
- (Optional) If your DCN is on version 6.2.x or earlier, upgrade your DCN's Splunk platform to version 7.0.0 and higher.
- Overwrite versions of Splunk_TA_vmware, SA-Hydra, SA-VMNetAppUtils and Splunk_TA_esxilogs on each data collection node with new versions.
Step 4: Upgrade indexer
- Enable maintenance mode on cluster master node.
- Navigate to the apps folder for your deployment (etc/apps for non-indexer cluster deployments, and etc/master-apps for indexer clustering deployments) and overwrite splunk_TA_esxilogs, splunk_TA_vcenter, and SA-VMWIndex on the cluster master node with new versions.
- Remove SA-Hydra, SA-VMNetAppUtils, Splunk_TA_vmware, and TA-VMW-FieldExtraction, if present.
- Push configuration bundle from cluster master node.
Step 5: Upgrade search head
Note: Make sure splunk_vmware_admin role has admin_all_objects capability.
For search head cluster deployments
- Upgrade all the components on search head deployer. Components are located in etc/apps.
- Copy the local folder from etc/apps/Splunk_TA_vmware from Search head to etc/shcluster/apps/TA-VMW-FieldExtractions on deployer.
- Delete Splunk_TA_vmware from etc/shcluster/apps/ on your deployer.
- Delete savedsearches.conf and tsidx_retention.conf from
etc/shcluster/apps/SA-VMW-Performance/default/
on your deployer before applying the upgrade bundle. - Push app bundle from deployer. The deployer will restart all the search head cluster members after the upgrade is applied. If deployer does not restart the search head cluster members, perform a rolling restart.
For dedicated search head deployments
- Upgrade all the components on Search head. Components are located in etc/apps.
- Copy the local folder from Splunk_TA_vmware to TA-VMW-FieldExtractions from etc/apps on Search head.
- Delete Splunk_TA_vmware from etc/apps/.
- Delete savedsearches.conf and tsidx_retention.conf from etc/apps/SA-VMW-Performance/default/ on your Search head.
- Splunk restart on Search head.
Step 6: Upgrade the forwarder on your vCenter server(s) This applies only to Windows-based vCenter servers - not vCSA.
- Stop your Splunk forwarder.
- On your vCenter server, navigate to splunkforwarder/etc/apps, and overwrite Splunk_TA_vcenter.
- Delete your local directory.
- Copy inputs.conf to local and enable stanza as per the vCenter server in this environment.
- Confirm under etc/system/local/output.conf, server entries to forward vclogs are present.
- Restart your forwarder.
Note: If you forward logs directly to Splunk indexes, or use an intermediate syslog forwarder, you do not need to set the inputs for vCenter logs.
Step 7: Start the scheduler
- Navigate to the Collection Configuration page of the Splunk Add-on for VMware on your scheduler.
- Start your scheduler.
Validate the Splunk App for VMware upgrade on your search head
Validate that you correctly upgraded the Splunk App for VMware to the latest version and that the app can collect data.
- Log in to the Splunk App for VMware on your search head.
- When the app displays the Splunk for VMware Setup page, select the Delete all deprecated Add-ons checkbox under Disable/delete old add-ons. The app removes all legacy add-ons from the installation. This removes saved searches of SA-VMW-Performance that are no longer in use.
- Save your configurations, and restart your Splunk platform deployment.
Manually remove legacy add-ons
If you launched Splunk App for VMware but did not check Delete all deprecated Add-ons on the setup page, you can manually remove the legacy add-ons from your installation.
- Stop the Splunk platform on your search head.
- Delete the
hydra_job.conf
file in the$SPLUNK_HOME/etc/apps/Splunk_TA_vmware/local
folder on the Splunk Search head. - Remove the
SA-VMW-Licensecheck
folder from the$SPLUNK_HOME/etc/apps
folder on your Splunk search head. Do this for each server upon which you installed the Splunk App for VMware. - The below table shows the specific legacy add-ons, located in the
$SPLUNK_HOME/etc/apps/Splunk_TA_vmware/local
folder of the Splunk App for VMware, to delete when upgrading:DA-VMW-HierarchyInventory
DA-VMW-LogEventTask
DA-VMW-Performance
SA-VMW-Licensecheck
- Restart your Splunk platform.
Additional information
See "Platform and Hardware Requirements" in this manual for supported Splunk platform versions for this release. See "How to upgrade Splunk Enterprise" to upgrade to a new version of the Splunk platform.
For information on upgrading from tsidx namespaces to data model acceleration, see the "Upgrade from tsidx namespaces to data model acceleration" section of the troubleshooting section of this manual.
Troubleshoot Splunk App for VMware |
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.4.4
Feedback submitted, thanks!