Splunk® Universal Forwarder

Splunk Remote Upgrader for Linux Universal Forwarders

Advanced configurations

Customize your Remote Upgrader for Linux Universal Forwarders installation

If you plan to customize your Remote Upgrader for Linux Universal Forwarders configurations, do so before you install. See Download and configure your Remote Upgrader app for more information.

To install the Remote Upgrader for Linux Universal Forwarders using the deployment server:

  1. Unpack the Remote Upgrader for Linux Universal Forwarders build in the installation app: ./default/splunk-upgrader.tgz.
  2. Create the local_config file under the Remote Upgrader for Linux Universal Forwarders ./config directory.
  3. Repack local_config to the installation app.
  4. For most configurations, updates take effect after restarting the Remote Upgrader for Linux Universal Forwarders.

Customize package delivery

The universal forwarder packages must be delivered to the Remote Upgrader for Linux Universal Forwarders /tmp/SPLUNK_UPGRADER_MONITORED_DIR directory.

The package type is discovered automatically during installation.

You can provide different package types for different installed package types. For example, you can have different universal forwarders installed by RPM, DEB, and TGZ respectively. To upgrade them you can deliver all three packages to all the universal forwarders, without needing to know which package the universal forwarder needs.

  • Use only one package for each package type, otherwise the Remote Upgrader for Linux Universal Forwarders cancels the universal forwarder upgrade. For example, if two RPM packages with different versions are delivered to the Remote Upgrader for Linux Universal Forwarders at one time, and the universal forwarder is installed with an RPM package, the Remote Upgrader for Linux Universal Forwarders cannot upgrade the universal forwarder.
  • Once the Remote Upgrader for Linux Universal Forwarders picks up one package, it validates the Splunk signature or checksum if you have configured them. The universal forwarder has three different packages on Linux and you can opt-in/opt-out the signature validation for each package type in the ./config/local_config file. If signature validation is enabled, any validation failure aborts the upgrade.

In the case where the update is upgrading the upgrader itself, it can also validate the upgrader package signature.

Note: Starting with version 9.0, all UF releases are signed using an x509 signature.

Specify a universal forwarder when working with multiple universal forwarders

If you are using more than one universal forwarder, choose one of those forwarders and provide it as the path to SPLUNK_HOME to be upgraded in the local_config file. For example: SPLUNK_HOME=/opt/splunkforwarder

You may want to do this, for example, if you have multiple Splunk products installed on the same instance. Note that the Splunk Remote Upgrader for Linux must run as ROOT, i.e., installed with --user root --group root. Otherwise you cannot upgrade multiple universal forwarders.

Last modified on 24 January, 2025
Monitor your universal forwarder upgrade status   Modify remote upgrader using the configuration files

This documentation applies to the following versions of Splunk® Universal Forwarder: 1.0.0, 8.2.11, 8.2.12, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters