Splunk® Supported Add-ons

Splunk Add-on for AWS

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Upgrade the Splunk Add-on for AWS

Upgrade to the latest version of the Splunk Add-on for Amazon Web Services (AWS). Upgrades to version 5.2.0 and later are possible only from version 5.0.3 or later. For upgrading the Splunk Add-on for AWS on Splunk Cloud deployments, contact your Splunk Cloud administrator.

Version 6.0.0 of the Splunk Add-on for AWS includes a merge of all the capabilities of the Splunk Add-on for Amazon Kinesis Firehose. This means you can configure the Splunk Add-on for AWS to ingest across all AWS data sources for ingesting AWS data into Splunk.

If you use both the Splunk Add-on for Amazon Kinesis Firehose as well as the Splunk Add-on for AWS on the same Splunk instance, then you must uninstall the Splunk Add-on for Amazon Kinesis Firehose after upgrading the Splunk Add-on for AWS to version 6.0.0 or later in order to avoid any data duplication and discrepancy issues.

Data that you previously onboarded through the Splunk Add-on for Amazon Kinesis Firehose will still be searchable, and your existing searches will be compatible with version 6.0.0 of the Splunk Add-on for AWS.

If you are not currently using the Splunk Add-on for Amazon Kinesis Firehose, but plan to use it in the future, then the best practice is to download and configure version 6.0.0 or later of the Splunk Add-on for AWS, instead of the Splunk Add-on for Amazon Kinesis Firehose.

Starting in versions 6.1.0 and 6.2.0 of the Splunk Add-on for AWS, the Generic S3 and SQS-based S3 custom data type inputs contain CSV Parsing functionality. For more information, see the version 6.1.0 release notes and input pages for this manual.

Starting in version 6.2.0 of the Splunk Add-on for AWS, the Description input is deprecated. Hence the Metadata input should be used.

  1. Verify that you are running version 8.0.0 or later of the Splunk platform.
  2. (Optional) Plan your Splunk Enterprise upgrade to work with the Python 3 migration.
  3. Disable all running inputs.
  4. Disable or delete the running inputs for Description Input, if configured.
  5. Delete the pycache directory found in $SPLUNK_HOME/etc/apps/Splunk_TA_aws/pycache.
  6. (Optional) If you use both the Splunk Add-on for Amazon Kinesis Firehose as well as the Splunk Add-on for AWS on the same Splunk instance, then you must uninstall the Splunk Add-on for Amazon Kinesis Firehose, including removal of the existing Splunk_TA_aws-kinesis-firehose folder from all applicable $SPLUNK_HOME app directories, after upgrading the Splunk Add-on for AWS to version 6.0.0 or later. This is in order to avoid any data duplication and discrepancy issues.
    Data that you previously onboarded through the Splunk Add-on for Amazon Kinesis Firehose will still be searchable, and your existing searches will be compatible with version 6.0.0 or later of the Splunk Add-on for AWS.
  7. (Optional) Upgrade to version 5.0.3 of the Splunk Add-on for AWS, if you have not done so already.
  8. Download the latest version of the Splunk Add-on for AWS from Splunkbase.
  9. Install the latest version of the Splunk Add-on for AWS.
  10. If any Description input was created using an earlier version of the add-on, create a new Metadata input as a replacement for it.
  11. If your inputs were configured using a version of this add-on earlier than 5.1.0, Reformat the queue URL for all SQS-based s3 inputs to use regional endpoints:
    1. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/, and open the inputs.conf file using a text editor.
    2. Navigate to the [aws_sqs_based_s3://<input_name>] stanza, and reformat the queue URL for all SQS-based s3 inputs using the following new url format:

      Old URL format: https://<aws_region>.queue.amazonaws.com/<account_id>/<queue_name>

      New URL format: https://sqs.<aws_region>.amazonaws.com/<account_id>/<queue_name>
    3. Save your changes.
  12. Restart your Splunk platform deployment.
  13. Visit http://<url or host_ip>:<web_port>/<locale_string>/_bump and click on the "Bump Version" button to apply upgraded JS file changes. See Localization Files for more information on <locale_string>.
  14. Click the Bump Version button to apply the upgraded .js file changes.
  15. Enable all inputs.

After upgrading to version 6.2.0 of the Splunk Add-on for AWS, the Description input created in the earlier versions will no longer continue to collect and index data and it will not be visible to the users in the inputs table. Users will not be able to create a new Description input. If you want to collect Description data, configure the Metadata input.

Last modified on 24 August, 2022
PREVIOUS
Install the Splunk Add-on for AWS in a distributed Splunk Enterprise deployment
  NEXT
Manage accounts for the Splunk Add-on for AWS

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters