Splunk® Enterprise

Forwarding Data

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Upgrade the universal forwarder for *nix systems

This topic describes the procedure for upgrading your universal forwarder from version 5.0.x, 6.0.x, 6.1.x, or 6.2.x to 6.3.

This topic describes two upgrade scenarios:

  • Upgrade a single forwarder manually
  • Perform a remote upgrade of a group of forwarders

For deployments of any size, you will most likely want to use this second scenario.

Before you upgrade

Be sure to read this section before performing an upgrade. Also, read "How to upgrade Splunk Enterprise" in the Installation Manual for up-to-date information and potential issues you might encounter when upgrading.

Confirm that an upgrade is necessary

Before doing an upgrade, consider whether you really need to. In most cases, there's no compelling reason to upgrade a forwarder. Forwarders are always compatible with later version indexers, so you do not need to upgrade them just because you've upgraded the indexers they're sending data to.

Back your files up

Before you perform the upgrade, back up your configuration files. For information on backing up configurations, read "Back up configuration information" in the Admin manual.

Splunk Enterprise does not provide a means of downgrading to a previous version; if you need to revert to an older forwarder release, just reinstall it.

How upgrading works

After performing the installation of the new version, configuration changes do not occur until you start the universal forwarder. You can run the migration preview utility at that time to see what will change before the files are updated. If you choose to view the changes before proceeding, the forwarder writes the proposed changes to $SPLUNK_HOME/var/log/splunk/migration.log.<timestamp>

Upgrade a single forwarder

1. Execute the stop command:

     $SPLUNK_HOME/bin/splunk stop

Important: Make sure no other processes can start the forwarder automatically (such as Solaris SMF).

2. Install the universal forwarder package over the existing deployment:

  • If you use a .tar file, expand it into the same directory with the same ownership as the existing universal forwarder instance. This overwrites and replaces matching files but does not remove unique files.
  • If you use a package manager, such as an RPM, type in rpm -U <splunk_package_name>.rpm from a shell prompt.
  • If you use a .dmg file (on MacOS), double-click it and follow the instructions. Be sure to specify the same installation directory as your existing installation.
  • If you use init scripts, be sure to include the following so the End-User License Agreement (EULA) gets accepted:
      ./splunk start --accept-license

3. Execute the start command:

     $SPLUNK_HOME/bin/splunk start

The forwarder displays the following:

This appears to be an upgrade of Splunk.
Splunk has detected an older version of Splunk installed on this machine. To
finish upgrading to the new version, Splunk's installer will automatically
update and alter your current configuration files. Deprecated configuration
files will be renamed with a .deprecated extension.
You can choose to preview the changes that will be made to your configuration
files before proceeding with the migration and upgrade:
If you want to migrate and upgrade without previewing the changes that will be
made to your existing configuration files, choose 'y'.
If you want to see what changes will be made before you proceed with the
upgrade, choose 'n'.
Perform migration and upgrade without previewing configuration changes? [y/n]

4. Choose whether you want to run the migration preview script to see what changes will be made to your existing configuration files, or proceed with the migration and upgrade right away.

5. If you choose to view the expected changes, the script provides a list.

6. Once you've reviewed these changes and are ready to proceed with migration and upgrade, run $SPLUNK_HOME/bin/splunk start again.

Note: You can complete Steps 3 to 5 in one line:

  • To accept the license and view the expected changes (answer 'n') before continuing the upgrade:
      $SPLUNK_HOME/bin/splunk start --accept-license --answer-no
  • To accept the license and begin the upgrade without viewing the changes (answer 'y'):
      $SPLUNK_HOME/bin/splunk start --accept-license --answer-yes

Perform a remote upgrade

To upgrade a group of forwarders across your environment:

1. Upgrade the universal forwarder on a test machine, as described above.

2. Create a script wrapper for the upgrade commands, as described in "Remotely deploy a nix universal forwarder with a static configuration" in the Forwarding Data manual. You will need to modify the sample script to meet the needs of an upgrade.

3. Run the script on representative target machines to verify that it works with all required shells.

4. Execute the script against the desired set of hosts.

5. Verify that the universal forwarders are functioning properly.

Last modified on 19 November, 2015
Upgrade the Windows universal forwarder
Upgrade heavy and light forwarders

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters