Splunk® Enterprise

Forwarding Data

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Upgrade the Windows universal forwarder

This topic describes the procedure for upgrading your Windows universal forwarder from version 5.0.x, 6.0.x, 6.1.x, or 6.2.x to 6.3.

When you upgrade a universal forwarder, the installer performs an upgrade with no configuration changes. If you need to change any configuration settings on your forwarders, you can do so after the upgrade. A deployment server can assist in the configuration update process.

This topic describes three upgrade scenarios:

  • Upgrade a single forwarder with the GUI installer
  • Upgrade a single forwarder with the command line installer
  • Perform a remote upgrade of a group of forwarders

For deployments of any size, you will most likely want to use this last scenario.

Before you upgrade

Be sure to read this section before performing an upgrade. Also, read "How to upgrade Splunk Enterprise" in the Installation Manual for up-to-date information and potential issues you might encounter when upgrading.

Confirm that an upgrade is necessary

Before performing an upgrade, consider whether you really need to. In most cases, there is no compelling reason to upgrade a forwarder. Forwarders are always compatible with later version indexers, so you do not need to upgrade them just because you have upgraded the indexers they're sending data to.

No platform architecture changes

Due to how the universal forwarder installer is configured, you cannot upgrade a 32-bit version of the universal forwarder with the 64-bit universal forwarder installer. If you are in this situation, the follow these instructions:

1. Back up your configurations, including any apps or add-ons (in %SPLUNK_HOME%\etc\apps). Also back up the checkpoint files located in %SPLUNK_HOME%\var\lib\modinputs\

2. Uninstall the existing 32-bit forwarder.

3. Install the 64-bit forwarder.

4. Restore your apps, configurations and checkpoints by copying them to the appropriate directories:

%SPLUNK_HOME%\etc\system\local for configuration files.
%SPLUNK_HOME%\etc\apps for apps and add-ons.
%SPLUNK_HOME%\var\lib\modinputs for checkpoint files.

Back your files up

Before you perform the upgrade, we strongly recommend that you back up your configuration files. For information on backing up configurations, read "Back up configuration information" in the Admin manual.

Splunk Enterprise does not provide a means of downgrading to a previous version; if you need to revert to an older forwarder release, just uninstall the current version and reinstall the older release.

Upgrade using the GUI installer

You can upgrade a single forwarder with the GUI installer:

1. Download the new MSI file from the universal forwarder download page.

2. Double-click the MSI file. The installer displays the "Accept license agreement" panel.

3. Accept the license agreement and click "Install." The installer then upgrades the forwarder while retaining the existing configuration.

Note: You do not need to stop the forwarder before upgrading. The installer does this automatically as part of the upgrade process.

4. The forwarder will start automatically when you complete the installation.

The installer puts a log of upgrade changes in the %TEMP% directory. It also reports any errors in the Application Event Log.

Upgrade using the command line

You can upgrade a single forwarder by running the command line installer. To upgrade a group of forwarders, you can load the command line installer into a deployment tool, as described below.

Here are the steps for using the command line installer to upgrade a single forwarder:

1. Download the new MSI file from the Splunk universal forwarder download page.

2. Install the universal forwarder from the command line by invoking msiexec.exe.

  • For 32-bit platforms, use splunkuniversalforwarder-<...>-x86-release.msi:
      msiexec.exe /i splunkuniversalforwarder-<...>-x86-release.msi [AGREETOLICENSE=Yes /quiet]
  • For 64-bit platforms, use splunkuniversalforwarder-<...>-x64-release.msi:
      msiexec.exe /i splunkuniversalforwarder-<...>-x64-release.msi [AGREETOLICENSE=Yes /quiet]

The value of <...> varies according to the particular release; for example, splunkuniversalforwarder-5.0-142438-x64-release.msi.

Note: You cannot make configuration changes during an upgrade. The installer ignores any command line flags that you specify except for "AGREETOLICENSE".

3. The forwarder starts automatically when you complete the installation.

The installer puts a log of upgrade changes in the %TEMP% directory. It also reports any errors in the Application Event Log.

Perform a remote upgrade

To upgrade a group of forwarders across your environment:

1. Load the universal forwarder MSI into your deployment tool. Specify the command like as follows:

   msiexec.exe /i splunkuniversalforwarder-<...>.msi AGREETOLICENSE=Yes /quiet

See the previous section, "Upgrade using the command line", for details on the MSI command.

2. Execute deployment with your deployment tool.

3. Verify that the universal forwarders function properly.

You might want to test the upgrade locally on one machine before performing a remote upgrade across all your forwarders.

Last modified on 19 November, 2015
Heavy and light forwarder capabilities
Upgrade the universal forwarder for *nix systems

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters