Configure the remote upgrader for Linux universal forwarders to automatically upgrade

You can configure the remote upgrader to upgrade itself by dropping the upgrader package and .sig file into the directory /tmp/SPLUNK_UPDATER_MONITORED_DIR.

Download the latest version of the remote upgrader and extract the remote upgrader package and .sig file. Once you install the universal forwarder remote upgrader on the Linux box, the directory /tmp/SPLUNK_UPDATER_MONITORED_DIR is created, which receives the universal forwarder packages.

To distribute the universal forwarder package without the deployment server, put the following files into this directory:

• Splunkforwarder-9.4.0-6b4ebe426ca6-linux-amd64.tgz
• Splunkforwarder-9.4.0-6b4ebe426ca6-linux-amd64.tgz.sig

If the universal forwarder package is distributed manually:

1. create a trigger file start_uf_upgrade in the directory /tmp/SPLUNK_UPDATER_MONITORED_DIR to trigger the upgrade:

   touch /tmp/SPLUNK_UPDATER_MONITORED_DIR/start_uf_upgrade

2. Distribute the following files manually or through the deployment server:
   • Splunkforwarder-9.4.0-6b4ebe426ca6-linux-amd64.tgz
   • Splunkforwarder-9.4.0-6b4ebe426ca6-linux-amd64.tgz.sig

You can optionally put both the remote upgrader and universal forwarder packages into the remote upgrader. When you do this, the remote upgrader will self upgrade first, and then the updated remote upgrader will upgrade the universal forwarder. You can deliver the universal forwarder packages using the deployment server and trigger the already running Remote Upgrader for Linux Universal Forwarders to run through the upgrade process. You can do this whether your universal forwarders are running as root or non-root. For planning purposes, internal testing determined that it takes two hours to distribute 100MB universal forwarder packages to 6800 universal forwarders, with CPU at 40% and memory at 2%.

1. Download the universal forwarder packages.
2. Place the universal forwarder packages and its associated signature file in the ./local/packages directory under splunk_app_upgrader_delivery.
3. If you have not already done so, make splunk_app_upgrader_delivery available to the deployment server. See Update configurations for more information.
4. Deploy the remote upgrader to the target universal forwarders using the deployment server. The universal forwarder packages are delivered to the Remote Upgrader for Linux Universal Forwarders /tmp/SPLUNK_UPGRADER_MONITORED_DIR directory, and the trigger file is created automatically.
5. When you deploy the remote upgrader using the deployment server, update the interval setting in ./default/inputs.conf to a cron expression based on Splunk inputs.conf. This will keep the remote upgrader from triggering the universal forwarder upgrade until the cron expression starts the input.

Deliver the target universal forwarder package into the designated folder

If you use a custom solution for delivery you can also use your solution to deliver the package manually and create a trigger file:

1. Place the installer package in the /tmp/SPLUNK_UPGRADER_MONITORED_DIR directory.
2. Create the file start_uf_upgrade in /tmp/SPLUNK_UPGRADER_MONITORED_DIR directory. This is the trigger file that separates the package delivery and upgrade, which lets you better arrange the upgrade. The file can be empty. Do not copy and paste this file from another location to this monitored directory, as creation time for this file determines the timeout for the universal forwarder upgrade and changing the default flag file may cause the upgrade to fail.