Splunk® Enterprise

Updating Splunk Enterprise Instances

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Protect content during app updates

You can protect specified files or directories from being overwritten or deleted during app updates. If you enable this feature, the deployment client copies the deployment server's version of the content the first time that it downloads the app but, on future updates of the app, the deployment client instead maintains the protected content in place, so that it does not get overwritten by the downloaded version of the content (or deleted, if the updated app does not include the content).

This feature can be particularly useful for preventing the contents of the /local directory on the deployment client from getting wiped out or overwritten on update. Similarly, you can use it to maintain the content of lookup files across app updates.

Without the setting, all locally-generated content will be deleted or overwritten instead of making it into the updated app. Instead, the updated app will contain only the content downloaded from the deployment server.

This feature requires that both the deployment server and its deployment clients run version 6.3 or higher.

To use this feature, configure the excludeFromUpdate setting in serverclass.conf on the deployment server. The excludeFromUpdate setting can be used with any app directory or file.

For example, say that you want to prevent app updates from overwriting my-app's /local directory and you also want to maintain the contents of a lookup file across updates. Assume the app has the typical directory structure:

my-app/
   default/
   local/
       some-conf.conf
       ...

To protect the content of the /local directory from updates and to maintain the content in the cidr.csv lookup file, place the excludeFromUpdate setting in the my-app stanza of serverclass.conf:

[serverClass:my-class:app:my-app]
excludeFromUpdate = $app_root$/local,$app_root$/lookups/cidr.csv

When the deployment client downloads the app for the first time, it copies the /local directory and its contents, as well as a stub version of the lookup file, if it exists. On subsequent downloads, it uses the locally maintained version of the/local directory instead of the downloaded version. It also keeps the locally populated version of the lookup file.

Note the following:

  • You must use $app_root$ to specify the app root directory.
  • You can protect single files or entire directories.
  • You can specify excludeFromUpdate at any of the three stanza levels: global, server class, or app. If you specify it at the global level, for example, it takes effect for all apps.
Last modified on 06 August, 2019
Deploy apps to clients   View app deployment status

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters