Upgrade the Splunk Add-on for Unix and Linux

Use the installation steps in this manual to upgrade from versions 7.0 and above to the latest version of this add-on. To upgrade to earlier versions of this product, see the following version specific information.

Before upgrading to the Splunk Add-on for Unix and Linux versions 8.1.0 and higher, verify that you have the bash shell installed on your system. If the bash shell is not installed, the lsof and package inputs will not work.

Upgrade from version 6.0.0 or later to 7.0

Upgrade from version 6.0.0 or later to version 7.0 of the Splunk Add-on for Unix and Linux:

1. Install version 7.0.
2. On the Configuration page, the nfsiostat input now appears. It is only supported on a Linux OS.
3. Enable data collection for nfsiostat:
   1. Install the nfs-utils package.
   2. After you install the package, file system mounted events begin ingesting.

Upgrade from 5.2.4 or earlier to 7.0

First, upgrade from version 5.2.4 or earlier to 6.0:

1. Configure your local indexes.conf.
2. Configure your local inputs.conf.
3. Edit your bash history stanza.
4. Configure your app.conf.

Then, upgrade to version 7.0.

Configure your local indexes.conf

The Splunk Add-on for Unix and Linux versions 6.0 and later do not have predefined os and firedalerts indexes. You must make a local copy of the indexes.conf file before performing the upgrade.

If you upgrade the Splunk Add-on for Unix and Linux from version 5.2.4 before making a local copy of indexes.conf, the existing index configurations are not available after the upgrade and the previously indexed data may be lost. If indexes are defined and not copied over, newly ingested data may be lost. If you send data to an undefined index, data will be lost.

1. Copy $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/indexes.conf to $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/indexes.conf.
2. If necessary, create the event indexes. See Create and edit event indexes.
3. To index data in a specific index, edit inputs.conf and add index = indexname in the input stanza.

Configure your local inputs.conf

The Splunk Add-on for Unix and Linux version 5.2.4 indexes data by default into an os index. Versions 6.0.0 and later index data into the default index, typically main. If you want to index data with version 7.0 into the same index used by version 5.2.4, add index = <os> or <index = firedalerts> to each input stanza in your local inputs.conf file.

1. Edit $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf.
2. Locate each input stanza and add index = <os> or <index = firedalerts>.

If you do not do these steps, the Splunk Add-on for Unix and Linux 6.0.1 and later indexes data into the default index, typically main.

Edit bash history stanza

To improve performance, version 6.0.0 and later of the Splunk Add-on for Unix and Linux renamed the stanza name for monitoring bash histories. You must update the version 5.2.4 bash_history stanza name used in your local inputs.conf file to match the new stanza name used in versions 6.0.0 and later:

1. Edit $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf.
2. Locate the stanza [monitor:///home/.../.bash_history].
3. Rename the stanza name to [monitor:///home/*/.bash_history].

If you do not do these steps, you see both [monitor:///home/.../.bash_history] and [monitor:///home/*/.bash_history] in the add-on setup page.

Configure app.conf

The Splunk Add-on for Unix and Linux versions 6.0.0 and later set configuration status to false by default. The Splunk Add-on for Unix and Linux will prompt you to perform a full setup the first time that Splunk Web launches it.

If you do not want to reconfigure the add-on after the upgrade is completed, add is_configured=true to the app.conf file.

1. Edit $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/app.conf.
2. Locate the install stanza and add is_configured=true.