Splunk® Add-on for Unix and Linux (Legacy)

Deploy and Use the Splunk Add-on for Unix and Linux

Acrobat logo Download manual as PDF


The documentation for the current version of this Add-on has moved. See the current version of the documentation for the Splunk Add-on for Unix and Linux.
Acrobat logo Download topic as PDF

Upgrade the Splunk Add-on for Unix and Linux

If the Splunk Add-on for Unix and Linux was previously installed and configured, there are several prerequisite steps that must be completed before upgrading to version 6.0.0.

Configure indexes.conf

The Splunk Add-on for Unix and Linux 6.0.0 no longer defines os and firedalerts indexes. You must make a local copy of indexes.conf before performing the upgrade.

  1. Copy $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/indexes.conf to $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/indexes.conf.
  2. If necessary, create the event indexes, see Create and edit event indexes.
  3. To index data in a specific index, edit inputs.conf and add index = indexname in the [input] stanza.

If the Splunk Add-on for Unix and Linux is upgraded from version 5.2.4 to version 6.0.0 before making a local copy of indexes.conf, the existing index configurations will not be available after the upgrade and the previously indexed data may be lost. If indexes are defined and not copied over, newly ingested data may be lost. If data is sent to an undefined index, data will be lost.

Configure inputs.conf

Default indexing location

The Splunk Add-on for Unix and Linux version 5.2.4 indexes data by default into an os index, and version 6.0.0 uses the main index. If you want to index data with version 6.0.0 in the same index used by version 5.2.4, add index = <os/firedalerts> to each input stanza in inputs.conf.

  1. Edit $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf
  2. Locate each input stanza and add index = <os/firedalerts>.

If this step is missed, the Splunk Add-on for Unix and Linux 6.0.0 will index data into the default index, typically main.

Monitoring bash history

The stanza name for monitoring bash histories has been renamed in the Splunk Add-on for Unix and Linux to improve performance. You must rename the existing bash_history stanza name in inputs.conf.

  1. Edit $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf.
  2. Locate the stanza [monitor:///home/.../.bash_history]
  3. Change the stanza name to [monitor:///home/*/.bash_history]

If this step is missed, you will see both [monitor:///home/.../.bash_history] and [monitor:///home/*/.bash_history] in the add-on setup page.

Configure app.conf

The configuration status of the Splunk Add-on for Unix and Linux version 6.0.0 is set to false by default and you will be asked to perform the setup after the upgrade is completed. Once the setup is saved, you will not be asked to perform the setup again.

If you do not want to reconfigure the add-on after the upgrade is completed, add is_configured=true to app.conf.

  1. Edit $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/app.conf.
  2. Locate the [install] stanza and add is_configured=true.
Last modified on 24 May, 2018
PREVIOUS
Install the Splunk Add-on for Unix and Linux
  NEXT
Enable data and scripted inputs for the Splunk Add-on for Unix and Linux

This documentation applies to the following versions of Splunk® Add-on for Unix and Linux (Legacy): 6.0.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters