Upgrade Splunk Stream
Upgrade Splunk Stream in Splunk Web
Upgrade Splunk Stream in Splunk Web, as follows:
- Open Splunk Enterprise.
- In the top left menu, click Manage Apps.
- Click Install app from file.
- Click Choose file and browse to the latest version of the
splunk-stream_<latest_version>.tgz
installer file. - Select the Upgrade app checkbox. This overwrites the current version of the app.
- Click Upload.
- Restart Splunk Enterprise if prompted. This upgrades the following directories:
splunk_app_stream
in$SPLUNK_HOME/etc/apps
.Splunk_TA_stream
in$SPLUNK_HOME/etc/apps
.Splunk_TA_stream
in$SPLUNK_HOME/etc/deployment-apps
.
Note: This process does not upgrade Splunk_TA_stream
unless the installer package includes a new version of the TA. Otherwise, the installer upgrades splunk_app_stream
only.
Manually upgrade Splunk_TA_stream
When you upgrade Splunk Stream, Splunk_TA_stream
is automatically upgraded on the server on which Splunk Stream is installed. However, Splunk_TA_stream
is not automatically upgraded on universal forwarders. If your Stream deployment includes additional universal forwarders and you are not using the deployment server, you must manually upgrade Splunk_TA_stream
on each universal forwarder (or use another mechanism to install the TA, such as Puppet or Chef).
To manually upgrade Splunk_TA_stream
to the latest version:
- Make a backup of the
Splunk_TA_stream
directory:mv $SPLUNK_HOME/etc/apps/Splunk_TA_stream Splunk_TA_stream.bak
- Copy the
Splunk_TA_stream
directory from the newsplunk_app_stream
tarball:cp -r $TARBALL_DIR/install/Splunk_TA_stream $SPLUNK_HOME/etc/apps/
- Copy over the old local configuration directory:
cp –r Splunk_TA_stream.bak/local $SPLUNK_HOME/etc/apps/Splunk_TA_stream/
- Remove temp directory:
rm –rf Splunk_TA_stream.bak
- Restart Splunk.
cd $SPLUNK_HOME/bin ./splunk restart
Verify data forwarding
If the Stream Forwarders fail to send data after upgrade, you may see messages similar to this one:
WARN [139650313393920] (HTTPRequestSender.cpp:1485) stream.SplunkSenderHTTPEventCollector - (#7) TCP connection failed: Connection refused
To resolve this, first verify that the Stream forwarder is correctly configured. Then go to the Stream Forward App and update your HEC configuration:
- In the Stream App, open the Distributed Forwarder Management page.
- Select "Install Stream Forwarders".
- Verify the curl command is the same one running on the Stream Forward App.
- Turn off the HEC Autoconfig option.
- Update the Endpoint URLs by manually typing in the HEC (HF or Indexer) URL.
Windows installation considerations
Splunk Stream uses the WinPcap driver to capture packets on Windows systems. Due to a flaw in the WinPcap security model, installing Stream on Windows allows all local users to use WinPcap for packet sniffing. See https://wiki.wireshark.org/CaptureSetup/CapturePrivileges.
On Windows systems, Splunk Stream supports the Admin role only.
This documentation applies to the following versions of Splunk Stream™: 7.3.0
Feedback submitted, thanks!