Upgrade Splunk Stream
Upgrade Splunk Stream in Splunk Web
Upgrade Splunk Stream in Splunk Web, as follows:
- Open Splunk Enterprise.
- In the top left menu, click Manage Apps.
- Click Install app from file.
- Click Choose file and browse to the latest version of the
- Select the Upgrade app checkbox. This overwrites the current version of the app.
- Click Upload.
- Restart Splunk Enterprise if prompted. This upgrades the following directories:
Note: This process does not upgrade
Splunk_TA_stream unless the installer package includes a new version of the TA. Otherwise, the installer upgrades
Manually upgrade Splunk_TA_stream
When you upgrade Splunk Stream,
Splunk_TA_stream is automatically upgraded on the server on which Splunk Stream is installed. However,
Splunk_TA_stream is not automatically upgraded on universal forwarders. If your Stream deployment includes additional universal forwarders and you are not using the deployment server, you must manually upgrade
Splunk_TA_stream on each universal forwarder (or use another mechanism to install the TA, such as Puppet or Chef).
To manually upgrade
Splunk_TA_stream to the latest version:
- Make a backup of the
mv $SPLUNK_HOME/etc/apps/Splunk_TA_stream Splunk_TA_stream.bak
- Copy the
Splunk_TA_streamdirectory from the new
cp -r $TARBALL_DIR/install/Splunk_TA_stream $SPLUNK_HOME/etc/apps/
- Copy over the old local configuration directory:
cp –r Splunk_TA_stream.bak/local $SPLUNK_HOME/etc/apps/Splunk_TA_stream/
- Remove temp directory:
rm –rf Splunk_TA_stream.bak
- Restart Splunk.
cd $SPLUNK_HOME/bin ./splunk restart
Verify data forwarding
If the Stream Forwarders fail to send data after upgrade, you may see messages similar to this one:
WARN  (HTTPRequestSender.cpp:1485) stream.SplunkSenderHTTPEventCollector - (#7) TCP connection failed: Connection refused
To resolve this, first verify that the Stream forwarder is correctly configured. Then go to the Stream Forward App and update your HEC configuration:
- In the Stream App, open the Distributed Forwarder Management page.
- Select "Install Stream Forwarders".
- Verify the curl command is the same one running on the Stream Forward App.
- Turn off the HEC Autoconfig option.
- Update the Endpoint URLs by manually typing in the HEC (HF or Indexer) URL.
Windows installation considerations
Splunk Stream uses the WinPcap driver to capture packets on Windows systems. Due to a flaw in the WinPcap security model, installing Stream on Windows allows all local users to use WinPcap for packet sniffing. See https://wiki.wireshark.org/CaptureSetup/CapturePrivileges.
On Windows systems, Splunk Stream supports the Admin role only.
Install Splunk Stream
Deploy independent Stream forwarder
This documentation applies to the following versions of Splunk Stream™: 7.2.0
Feedback submitted, thanks!