Splunk® Supported Add-ons

Splunk Add-on for Unix and Linux

Download manual as PDF

Download topic as PDF

Upgrade the Splunk Add-on for Unix and Linux

Upgrade from version 6.0.0 or 6.0.1 to 6.0.2

Upgrade from version 6.0.0 or later to version 6.0.2 of the Splunk Add-on for Unix and Linux:

  1. Install version 6.0.2.
  2. On the Configuration page, the nfsiostat input now appears. It is only supported on a Linux OS.
  3. Enable data collection for nfsiostat:
    1. Install the nfs-utils package.
    2. After you install the package, file system mounted events begin ingesting.

Upgrade from 5.2.4 or earlier to 6.0.2

First, upgrade from version 5.2.4 or earlier to 6.0.0:

  1. Configure your local indexes.conf.
  2. Configure your local inputs.conf.
  3. Edit your bash history stanza.
  4. Documentation:AddOns:UnixLinux:Upgrade.

Then, upgrade to version 6.0.2.

Configure your local indexes.conf

The Splunk Add-on for Unix and Linux versions 6.0.0 and later do not have predefined os and firedalerts indexes. You must make a local copy of the indexes.conf file before performing the upgrade.

If you upgrade the Splunk Add-on for Unix and Linux from version 5.2.4 to version 6.0.1 before making a local copy of indexes.conf, the existing index configurations will not be available after the upgrade and the previously indexed data may be lost. If indexes are defined and not copied over, newly ingested data may be lost. If you send data to an undefined index, data will be lost.

  1. Copy $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/indexes.conf to $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/indexes.conf.
  2. If necessary, create the event indexes. See Create and edit event indexes.
  3. To index data in a specific index, edit inputs.conf and add index = indexname in the input stanza.

Configure your local inputs.conf

The Splunk Add-on for Unix and Linux version 5.2.4 indexes data by default into an os index. Versions 6.0.0 and later index data into the default index, typically main. If you want to index data with version 6.0.1 into the same index used by version 5.2.4, add index = <os> or <index = firedalerts> to each input stanza in your local inputs.conf file.

  1. Edit $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf.
  2. Locate each input stanza and add index = <os> or <index = firedalerts>.

If you do not do these steps, the Splunk Add-on for Unix and Linux 6.0.1 indexes data into the default index, typically main.

Edit bash history stanza

To improve performance, version 6.0.0 of the Splunk Add-on for Unix and Linux renamed the stanza name for monitoring bash histories. You must update the version 5.2.4 bash_history stanza name used in your local inputs.conf file to match the new stanza name used in versions 6.0.0 and later:

  1. Edit $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf.
  2. Locate the stanza [monitor:///home/.../.bash_history].
  3. Rename the stanza name to [monitor:///home/*/.bash_history].

If you do not do these steps, you see both [monitor:///home/.../.bash_history] and [monitor:///home/*/.bash_history] in the add-on setup page.

Configure app.conf

The Splunk Add-on for Unix and Linux versions 6.0.0 and later set configuration status to false by default. The Splunk Add-on for Unix and Linux will prompt you to perform a full setup the first time that Splunk Web launches it.

If you do not want to reconfigure the add-on after the upgrade is completed, add is_configured=true to the app.conf file.

  1. Edit $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/app.conf.
  2. Locate the install stanza and add is_configured=true.
PREVIOUS
Install the Splunk Add-on for Unix and Linux
  NEXT
Enable data and scripted inputs for the Splunk Add-on for Unix and Linux

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters