Upgrade the Splunk Add-on for Unix and Linux

Upgrade from version 8.7.0 to version 8.8.0

See the following steps to upgrade from version 8.7.0 to version 8.8.0 of the Splunk Add-on for Unix and Linux:

Limiting event types

Before add-on v8.8.0, a given event type covered a broader set of events. For example, the [failed_login] event type was defined as:

[failed_login] search = (NOT sourcetype=stash) "failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" OR "authentication ERROR" OR "Failed password for".

Similar event type regexes have been filtered to match only the required data for the add-on.

It is possible that events which were previously matched by event types will no longer be matched after upgrading to v8.8.0.

To solve this, we have introduced a new event type named nix_ta_custom_eventtype. Update this event type to include required events.

To update the event type from Splunk web, see Update an event type in settings in the Splunk Cloud Platform manual.

For example, to add a custom sourcetype "xyz" to the add-on's event types, set the following value:

[nix_ta_custom_eventtype] search = sourcetype = "xyz"

Upgrade from version 8.6.0 to version 8.7.0

Upgrade from version 8.6.0 to version 8.7.0 of the Splunk Add-on for Unix and Linux is seamless. There are no additional steps required for this version upgrade. See Install the Splunk Add-on for Unix and Linux in this manual.

Use the installation steps in this manual to upgrade from versions 7.0 and above to the latest version of this add-on.

Before upgrading to the Splunk Add-on for Unix and Linux versions 8.1.0 and higher, verify that you have the bash shell installed on your system. If the bash shell is not installed, the lsof and package inputs will not work.