Splunk® Universal Forwarder

Splunk Remote Upgrader for Linux Universal Forwarders

Quickstart guide

The quickstart guide provides a simple path to quickly install and configure basic functions.

Manually install the remote upgrader

  1. Download the Splunk remote upgrader for Linux universal forwarders from Splunkbase at: https://splunkbase.splunk.com/app/7699. This file contains the universal forwarder upgrader package and delivery scripts. The delivery scripts deliver a new version of the universal forwarder to an already installed universal forwarder that has an active remote upgrader installed using the deployment server. For a manual installation, you only need the universal forwarder upgrader package.
  2. Untar the downloaded file.
  3. In the directory splunk_app_uf_remote_upgrade_linux, find the universal forwarder upgrader package splunk-upgrader-{version}.tgz. You can locate this file at: splunk_app_uf_remote_upgrade_linux/default/packages/splunk-upgrader-{version}.tgz.
  4. Send splunk-upgrader-100.tgz as follows:
    scp splunk-upgrader-100.tgx splunker@10.202.15.74:/tmp
  5. Move the remote upgrader package into the installation directory. Run the remote upgrader parallel to the universal forwarder home. So for example, if SPLUNK_HOME = "/opt/splunkforwarder" Copy the upgrader package into /opt.
  6. Untar the package:
    cp /tmp/splunk-upgrader-100.tgz /opt/
    tar xf splunk-upgrader-100.tgz
  7. Install the universal forwarder remote upgrader using the default user (root permission is required) so that the universal forwarder upgrader creates its own user and/or group with minimum permissions to complete the universal forwarder upgrade. The remote upgrader's Linux daemon is then automatically installed and run as another user. Custom user/group installation options are described in Modify remote upgrader using the configuration files
  8. To start the installation process, run the command:
    sudo ./bin/install.sh --accept-license --create-user
  9. As the output for the installation command, you should see the universal forwarder upgrader daemon is "active (running)": RUCodeSampleActive.png
  10. If the daemon fails to start, check the installation logs in ./log/install.log

Manually configure universal forwarder upgrade using the remote upgrader

  1. On splunk.com, download the universal forwarder version 9.0.0 or later and the respective .sig file. The new .sig file is available from the More > "Download x509 Signature" link for each universal forwarder package. Once this operation completes, you will have two files:
    • splunkforwarder-{version}.{extensionstion}
    • splunkforwarder-{version}.{extensionstion}.sig

    So for example:

    • splunkforwarder-9.4.0-6b4ebe426ca6-linux-amd64.tgz
    • splunkforwarder-9.4.0-6b4ebe426ca6-linux-amd64.tgz.sig
  2. Copy both files into /tmp/SPLUNK_UPDATER_MONITORED_DIR on your destination Linux universal forwarder machine. Once you have installed the remote upgrader, the directory /tmp/SPLUNK_UPDATER_MONITORED_DIR is created, and is used to receive universal forwarder packages.
  3. To trigger the upgrade, run the command:
    touch /tmp/SPLUNK_UPDATER_MONITORED_DIR/start_uf_upgrade
  4. For troubleshooting, review logs in $SPLUNK_HOME/log/install.log. Historical data is stored in the ./history directory.

Distribute the remote upgrader package using the deployment server

  1. Download the Splunk remote upgrader for Linux universal forwarders from Splunkbase at: https://splunkbase.splunk.com/app/7699. This file contains the universal forwarder upgrader package and delivery scripts. The delivery scripts deliver a new version of the universal forwarder to the already installed universal forwarder that has an active remote upgrader installed using the deployment server. For a manual installation, you only need the universal forwarder upgrader package.
  2. Untar the downloaded file
    cp /tmp/splunk-upgrader-100.tgz /opt/
    tar xf splunk-upgrader-100.tgz
  3. In the directory splunk_app_uf_remote_upgrade_linux, find the universal forwarder upgrader package splunk-upgrader-{version}.tgz file. You can locate this file at:
    splunk_app_uf_remote_upgrade_linux/default/packages/splunk-upgrader-{version}.tgz
  4. Use the deployment server to distribute the splunk-upgrader-{version}.tgz file to the universal forwarders where you plan to install the remote upgrader. For more information about using the deployment server, see Create deployment apps.
  5. Place the applications on the deployment server in the directory $SPLUNK_HOME/etc/deployment-apps. The application is delivered to the directory $SPLUNK_HOME/etc/apps on destination universal forwarders.

  6. Move the remote upgrader package into the installation directory. Run the remote upgrader parallel to the universal forwarder home. So for example, if SPLUNK_HOME = "/opt/splunkforwarder", then copy the upgrader package into /opt.
  7. Install the universal forwarder remote upgrader using the default user (root permission is required) so that the universal forwarder upgrader creates its own user and/or group with minimum permissions to complete the universal forwarder upgrade. The remote upgrader's Linux daemon is then automatically installed and run as another user. Custom user/group installation options are described in Modify remote upgrader using the configuration files
  8. To start the installation process, run the command: sudo ./bin/install.sh --accept-license --create-user
  9. As the output for the installation command, you should see the universal forwarder upgrader daemon is "active (running)": RUCodeSampleActive.png
  10. If the daemon fails to start, check the installation logs in ./log/install.log

Upgrade universal forwarders using deployment server and the remote upgrader

  1. Download the Splunk remote upgrader for Linux universal forwarders from Splunkbase at: https://splunkbase.splunk.com/app/7699 This file contains the universal forwarder upgrader package and delivery scripts. The delivery scripts deliver a new version of the universal forwarder to an already installed universal forwarder that has an active remote upgrader installed using the deployment server. For a manual installation, you only need the universal forwarder upgrader package.
  2. Untar the downloaded file.
  3. In the directory splunk_app_uf_remote_upgrade_linux, find the universal forwarder upgrader package: splunk-upgrader-{version}.tgz file. You can locate this file at:
    splunk_app_uf_remote_upgrade_linux/default/packages/splunk-upgrader-{version}.tgze.
    The universal forwarder installation package and universal forwarder signature are the files:
    • splunkforwarder-{version}.{extensionstion}
    • splunkforwarder-{version}.{extensionstion}.sig


    You should see the directory: splunk_app_uf_remote_upgrade_linux.
  4. Put the universal forwarder installation package and universal forwarder signature files into the directory:
    >splunk_app_uf_remote_upgrade_linux/local/packages
    .

    You will see packages similar to this:

    RUCodeSamplePkgs.png
  5. The directory splunk_app_uf_remote_upgrade_linux is ready to be distributed to selected universal forwarders using the deployment server. When you distribute the application using the deployment server, make sure the application and Restart agent are enabled. After the application is distributed, the universal forwarder upgrade will be performed automatically. For troubleshooting, see the logs in ./log/install.log.
Last modified on 31 March, 2025
Prerequisites   Download your remote upgrader

This documentation applies to the following versions of Splunk® Universal Forwarder: 1.0.0, 1.0.1, 8.2.11, 8.2.12, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.4.0, 9.4.1


Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters