I've inherited a Splunk environment with many apps installed and some require upgrading.
I need to upgrade the Splunk Website Monitoring app from version 1.6 to 2.7.0 (current latest version).
I've searched on answers.splunk.com for how to upgrade Splunk apps, but all I could find is:
1..) In the case of the *nix app on my instance, I chose overwrite with 4.2.0 from the splunk -> manager -> apps window.
I can't find how to do this from the Splunk apps web interface. There's no obvious upgrade form, or place to "overwrite" the app.
2..) Helped me to get rid of "unix-all-logs" eventtypes:
1) move "unix" app from folder etc/apps
2) restart splunk
3) copy "unix" app back to etc/apps folder
4) restart splunk
Simply deleting the old app, and copying over the new app will results in the loss of all the currently defined inputs (of which there are currently over 300).
Is there some decent documentation on how to upgrade Splunk apps, and/or Website Monitoring in particular? I'm also concerned that the web UI shows more apps than I can currently find in the local/inputs.conf, leading me to believe these apps are defined elsewhere, and I don't want to lose my inputs if I upgrade.
How to upgrade the apps depends on both the app and the architecture of your Splunk install.
Non-Search Head Clustered Environment
For Website Monitoring on a standalone search head (not Search Head Clustered), you can upgrade it directly from the Manager (see here). Additionally, you will likely see a link in the apps list within Splunk saying something like "Update to 2.7.0". You can use this to update the app too (without having to upload the package).
Search Head Clustered Environment
For an SHC environment, you will need to update the app on the deployer and then invoke a rolling restart on the search heads.
Thanks for the quick response Luke.
We have this app installed in a few different places, including a stand alone Data Collection Node. I cloned the VM for this DCN and was able to successfully test an upgrade of the app as you suggested, on the cloned VM.
However, we also have the app installed on a search head cluster. The apps are all defined in git, then synch'ed to a deployment server, and the search head cluster nodes are deployment clients that pull down the app from the deployment server. So the config is all done on the command line via git.
Is there a way to update the app by editing the files on the CLI, not using the Splunk Web UI?
Thanks very much
@stepowsk: In your case, it sounds like you will want to expand the Website Monitoring app archive onto the git repo though since the repo is feeding the deployment server (if I am reading your description correctly). You can download the app archive directly from the Splunkbase page and then expand it into a local clone of the git repo and push your changes up to the upstream repo.
After that, you should be able to get the changes pulled down onto the deployment server (using git pull) which should then feed the search heads accordingly. You can likely use the Forwarder Management dashboard on the deployment server to see that the package got deployed. You might need to force a rolling restart for the search heads to see that change; I don't recall if this happens automatically.