Upgrade an existing installation of the Splunk App for CEF

You can upgrade directly from the 1.0.0 to the 2.x version by clicking Update to 2.<x> on the Manage Apps page.

Architectural changes in this version

The 2.x version of the Splunk App for CEF makes the following performance-related architectural changes:

• The search jobs that map your data to CEF fields are distributed and managed directly on your indexers to improve search performance. As a result, the app no longer requires a dedicated search head.
• The mechanism by which CEF data is exported to your destination servers has changed from a custom alert action to a custom streaming command to improve data forwarding performance. This streaming command requires you to manually distribute the input/output configurations to your indexers using the Splunk Add-on for CEF Output.

Both of these changes result in significant overall performance gains. See Performance expectations for the Splunk App for CEF.

In the 2.x version, the Splunk App for CEF stores a representation of output configurations in the Splunk KV store in the cef_output_groups collection. As a result, the app no longer manages the inputs.conf and outputs.conf configurations on the search head. After you recreate your version 1.0.0 searches, validate that the output settings on your search head are still desirable.

Other functional changes

The 2.x version of the app does not require you to set global configurations on a setup page.

Configured global settings from your 1.0.0 setup page remain in effect if they apply globally to your instance. For example, if the box next to Enable indexed realtime is checked in the 1.0.0 version of the app, the Splunk App for CEF set indexed_realtime_use_by_default = True in $SPLUNK_HOME/etc/system/local/limits.conf.

When you create new searches or replace legacy searches, you can set your indexed realtime preference on a per-search basis. Your per-search setting overrides your global setting.

Upgrading your searches

The 2.x version of the app is backwards compatible with any searches you configured using the 1.0.0 app. To take advantage of the performance improvements introduced in the 2.x version, you must build them again using the 2.x app.

After you upgrade the app, the app highlights your 1.0.0 searches with a note identifying them as legacy searches. Replace the legacy searches to take advantage of the performance improvements in the new version. See Define CEF mappings and output groups with the Splunk App for CEF for instructions on rebuilding the searches.

Before you begin, decide whether a brief gap in data output or a brief duplication of data is preferable for your use case. If you prefer a gap in data output, disable each legacy search before recreating it in the 2.x app. If you prefer a brief duplication of data, create the new search first, then immediately disable the legacy search that it replaces.