Splunk® User Behavior Analytics

Install and Upgrade Splunk User Behavior Analytics

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Upgrade a single node AMI or OVA installation of Splunk UBA

Before upgrading Splunk UBA on a single server, be sure you have verified the Upgrade Splunk UBA prerequisites.

Single server upgrade steps

Ensure that Splunk UBA is running before you upgrade, then perform the following tasks to upgrade Splunk UBA on a single server.

  1. Obtain the Splunk UBA Software Update and download the file to the /home/caspida directory. Select version 5.0.3 from the drop-down list. The downloadable archive file is named splunk-uba-software-upgrade-package_503.tgz.
  2. Extract the archive with the following command: 
    tar -xfz /home/caspida/splunk-uba-software-upgrade-package_503.tgz -C /home/caspida

    The following files are extracted:

    • splunk-uba-software-update-000027-503.tgz
    • splunk-uba-software-update-000027-503.tgz.md5sum
    • uba-ext-pkgs-5.0.3.tgz
    • uba-ext-pkgs-5.0.3.tgz.md5sum
  3. Extract the software update package in the /home/caspida directory: 
    tar -xfz /home/caspida/splunk-uba-software-update-000027-503.tgz -C /home/caspida
  4. Apply the patch with the following command: 
    /home/caspida/patch_uba_503/bin/utils/patch_uba.sh -p /home/caspida/patch_uba_503 -e /home/caspida/uba-ext-pkgs-5.0.3.tgz
    The command installs the new Splunk UBA software including the updated OpenJDK and Docker image, restarts Splunk UBA, and then restarts the data sources.

Apply security patches on Ubuntu

If you are upgrading an Ubuntu system, perform the following tasks to apply the latest security patches:

Applying the security patches on Ubuntu can take up to one hour. This is recommended when upgrading Splunk UBA but is not a required step.

  1. Log in to the Splunk UBA server as the caspida user.
  2. Run the following command to stop Splunk UBA and all services: 
    /opt/caspida/bin/Caspida stop-all
  3. Run the following commands to install latest unattended-upgrades package: 
    sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 6A030B21BA07F4FB
sudo apt update
sudo apt install unattended-upgrades

    If you see the following prompt, select keep the local version currently installed: 

    What do you want to do about modified configuration file 50unattended-upgrades?
  4. Run the following command: 
    sudo apt autoremove
  5. Edit the /etc/apt/apt.conf.d/50unattended-upgrades file and un-comment the following line: 
    "${distro_id}:${distro_codename}-security";
    Leave all other lines commented out.
  6. Run the following command: 
    sudo unattended-upgrade -d
  7. Edit the /etc/init.d/zookeeper-server file and change su to runuser in all of the following lines: 
    su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} start"
su -s /bin/bash zookeeper -c "${DAEMON_SCRIPT} stop"
su -s /bin/bash zookeeper -c "zookeeper-server-initialize $*"
  8. Reboot the system: 
    sudo reboot
  9. Run the following command to start Splunk UBA and all services: 
    /opt/caspida/bin/Caspida start-all

Next Steps

Verify a successful upgrade of Splunk UBA.

Last modified on 30 November, 2022
Upgrade Splunk UBA prerequisites   Upgrade a single node RHEL, CentOS, or Oracle Linux installation of Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.3

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters