Upgrade the Splunk Add-on for AWS
Upgrade to the latest version of the Splunk Add-on for Amazon Web Services (AWS). Upgrades to version 5.2.0 and later are possible only from version 5.0.3 or later. For upgrading the Splunk Add-on for AWS on Splunk Cloud deployments, contact your Splunk Cloud administrator.
The following table displays the version where the prerequisite was introduced, and a description for each prerequisite.
|Minimum Version||Prerequisite description|
|7.1.0||Starting in version 7.1.0 of the Splunk Add-on for AWS, the checkpoint mechanism was migrated to the Splunk KV store for the Billing Cost and Usage Report, Cloudwatch Metrics, and Incremental S3 inputs.
Disable all the Billing Cost and Usage Report, CloudWatch metrics, and Incremental S3 inputs before you upgrade the add-on to version 7.1.0. Otherwise, you might see errors in the log files, resulting in data loss/duplication against your already configured inputs.
|7.0.0||If you are using SQS-based S3 inputs and your add-on version is 7.0.0 or higher, then make sure the |
Configure SQS-based S3 inputs for the Splunk Add-on for AWS topic for more information.
|6.3.0||Starting in version 6.3.0 of the Splunk Add-on for AWS, the VPC Flow log extraction format has been updated to include v3-v5 fields. Before upgrading to versions 6.3.0 and higher of the Splunk Add-on for AWS, Splunk platform deployments ingesting AWS VPC Flow Logs must update the log format in AWS VPC to include v3-v5 fields in order to ensure successful field extractions.
|6.2.0||Starting in version 6.2.0 of the Splunk Add-on for AWS, the Description input is deprecated. The best practice is to use the Metadata.
|6.0.0||Version 6.0.0 of the Splunk Add-on for AWS includes a merge of all the capabilities of the Splunk Add-on for Amazon Kinesis Firehose. This means you can configure the Splunk Add-on for AWS to ingest across all AWS data sources for ingesting AWS data into Splunk.|
- Verify that you are running version 8.0.0 or later of the Splunk platform.
- (Optional) Plan your Splunk Enterprise upgrade to work with the Python 3 migration.
- Disable all running inputs.
- Disable or delete the running inputs for Description Input, if configured.
- Delete the pycache directory found in
- (Optional) If you use both the Splunk Add-on for Amazon Kinesis Firehose as well as the Splunk Add-on for AWS on the same Splunk instance, then you must uninstall the Splunk Add-on for Amazon Kinesis Firehose, including removal of the existing
Splunk_TA_aws-kinesis-firehosefolder from all applicable
$SPLUNK_HOMEapp directories, after upgrading the Splunk Add-on for AWS to version 6.0.0 or later. This is in order to avoid any data duplication and discrepancy issues.
Data that you previously onboarded through the Splunk Add-on for Amazon Kinesis Firehose will still be searchable, and your existing searches will be compatible with version 6.0.0 or later of the Splunk Add-on for AWS.
- (Optional) Upgrade to version 5.0.3 of the Splunk Add-on for AWS, if you have not done so already.
- Download the latest version of the Splunk Add-on for AWS from Splunkbase.
- Install the latest version of the Splunk Add-on for AWS.
- If any Description input was created using an earlier version of the add-on, create a new Metadata input as a replacement for it.
- If your inputs were configured using a version of this add-on earlier than 5.1.0, Reformat the queue URL for all SQS-based s3 inputs to use regional endpoints:
- Navigate to
$SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/, and open the
inputs.conffile using a text editor.
- Navigate to the
[aws_sqs_based_s3://<input_name>]stanza, and reformat the queue URL for all SQS-based s3 inputs using the following new url format:
Old URL format:
New URL format:
- Save your changes.
- Navigate to
- Restart your Splunk platform deployment.
- Enable all inputs.
Install the Splunk Add-on for AWS in a distributed Splunk Enterprise deployment
Manage accounts for the Splunk Add-on for AWS
This documentation applies to the following versions of Splunk® Supported Add-ons: released