Splunk® Supported Add-ons

Splunk Add-on for AWS

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Upgrade the Splunk Add-on for AWS

Upgrade to the latest version of the Splunk Add-on for Amazon Web Services (AWS). Upgrades to version 5.2.0 and later are possible only from version 5.0.3 or later. For upgrading the Splunk Add-on for AWS on Splunk Cloud deployments, contact your Splunk Cloud administrator.

Starting in version 6.3.0 of the Splunk Add-on for AWS, the VPC Flow log extraction format has been updated to include v3-v5 fields. Before upgrading to versions 6.3.0 and higher of the Splunk Add-on for AWS, Splunk platform deployments ingesting AWS VPC Flow Logs must update the log format in AWS VPC to include v3-v5 fields in order to ensure successful field extractions.
For more information on updating the log format in AWS VPC, see the Configure VPC Flow Logs inputs for the Splunk Add-on for AWS topic in this manual.

Version 6.0.0 of the Splunk Add-on for AWS includes a merge of all the capabilities of the Splunk Add-on for Amazon Kinesis Firehose. This means you can configure the Splunk Add-on for AWS to ingest across all AWS data sources for ingesting AWS data into Splunk.

If you use both the Splunk Add-on for Amazon Kinesis Firehose as well as the Splunk Add-on for AWS on the same Splunk instance, then you must uninstall the Splunk Add-on for Amazon Kinesis Firehose after upgrading the Splunk Add-on for AWS to version 6.0.0 or later in order to avoid any data duplication and discrepancy issues.

Data that you previously onboarded through the Splunk Add-on for Amazon Kinesis Firehose will still be searchable, and your existing searches will be compatible with version 6.0.0 of the Splunk Add-on for AWS.

If you are not currently using the Splunk Add-on for Amazon Kinesis Firehose, but plan to use it in the future, then the best practice is to download and configure version 6.0.0 or later of the Splunk Add-on for AWS, instead of the Splunk Add-on for Amazon Kinesis Firehose.

Starting in version 6.2.0 of the Splunk Add-on for AWS, the Description input is deprecated. The best practice is to use the Metadata.
After upgrading to version 6.2.0 or higher of the Splunk Add-on for AWS, the Description input created in the earlier versions will no longer continue to collect and index data and it will not be visible to the users in the inputs table. Users will not be able to create a new Description input.

  1. Verify that you are running version 8.0.0 or later of the Splunk platform.
  2. (Optional) Plan your Splunk Enterprise upgrade to work with the Python 3 migration.
  3. Disable all running inputs.
  4. Disable or delete the running inputs for Description Input, if configured.
  5. Delete the pycache directory found in $SPLUNK_HOME/etc/apps/Splunk_TA_aws/pycache.
  6. (Optional) If you use both the Splunk Add-on for Amazon Kinesis Firehose as well as the Splunk Add-on for AWS on the same Splunk instance, then you must uninstall the Splunk Add-on for Amazon Kinesis Firehose, including removal of the existing Splunk_TA_aws-kinesis-firehose folder from all applicable $SPLUNK_HOME app directories, after upgrading the Splunk Add-on for AWS to version 6.0.0 or later. This is in order to avoid any data duplication and discrepancy issues.
    Data that you previously onboarded through the Splunk Add-on for Amazon Kinesis Firehose will still be searchable, and your existing searches will be compatible with version 6.0.0 or later of the Splunk Add-on for AWS.
  7. (Optional) Upgrade to version 5.0.3 of the Splunk Add-on for AWS, if you have not done so already.
  8. Download the latest version of the Splunk Add-on for AWS from Splunkbase.
  9. Install the latest version of the Splunk Add-on for AWS.
  10. If any Description input was created using an earlier version of the add-on, create a new Metadata input as a replacement for it.
  11. If your inputs were configured using a version of this add-on earlier than 5.1.0, Reformat the queue URL for all SQS-based s3 inputs to use regional endpoints:
    1. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/, and open the inputs.conf file using a text editor.
    2. Navigate to the [aws_sqs_based_s3://<input_name>] stanza, and reformat the queue URL for all SQS-based s3 inputs using the following new url format:

      Old URL format: https://<aws_region>.queue.amazonaws.com/<account_id>/<queue_name>

      New URL format: https://sqs.<aws_region>.amazonaws.com/<account_id>/<queue_name>
    3. Save your changes.
  12. Restart your Splunk platform deployment.
  13. Visit http://<url or host_ip>:<web_port>/<locale_string>/_bump and click on the "Bump Version" button to apply upgraded JS file changes. See Localization Files for more information on <locale_string>.
  14. Click the Bump Version button to apply the upgraded .js file changes.
  15. Enable all inputs.
Last modified on 23 May, 2023
PREVIOUS
Install the Splunk Add-on for AWS in a distributed Splunk Enterprise deployment 		  NEXT
Manage accounts for the Splunk Add-on for AWS

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters