All Apps and Add-ons

Splunk Add-on for Unix and Linux

AMAN0113
Explorer

We have Splunk Add-on for Unix and Linux 8.2.0 installed and need to upgrade it to the latest version (8.10.0). Request someone to help if I can directly upgrade it to 8.10 or should there be an incremental upgrade. IS there any feature that will be affected in my existing set-up due to the upgrade. Also, what are the steps that should be taken while I perform this so as to not lose any of my existing configs. Is there any documentation for this.

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

HI @AMAN0113,

if you didn't do any customization you can directly do you upgrade to tha latest version.

You can update using the deployment method you have in use: Deployment Server o manually.

Only one check: if you enabled inputs in local folder there will be no problem, if you enabled them in default folder (there's someone that does it), remember to enable the requested inputs.

Ciao.

Giuseppe

View solution in original post

AMAN0113
Explorer

Hi @gcusello
Thanks for your inputs.
A follow up question, Do I have to expect any data loss during the upgrade? or is the add-on capable of backfilling the data lost during the time of upgrade. Also do I need to restart splunk on my server for the changes to reflect?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AMAN0113,

on HF the upgrade made by GUI doesn't require restart, other wise you have to restart the forwarder.

During restart you don't loss any data, because logs are written by Linux in files that are read by the forwarder when it restarts, you'll only have a delay in indexing.

Obviously scripts aren't executed during restart, but they will executed at the next scheduled time.

Let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

isoutamo
SplunkTrust
SplunkTrust

One remarks. As @gcusello said you don't lost any data which are based on files. But there are some scripts which are using commands like ps, netstats, sar etc. to collect data by periods. When your TA is not on place and those inputs are not run, you obviously lost those event as those inputs scripts haven't run. But that should be any real issue.

isoutamo
SplunkTrust
SplunkTrust

Hi

as you can see from https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Upgrade there are something which you must/should check before you could do an update. 

r. Ismo

gcusello
SplunkTrust
SplunkTrust

HI @AMAN0113,

if you didn't do any customization you can directly do you upgrade to tha latest version.

You can update using the deployment method you have in use: Deployment Server o manually.

Only one check: if you enabled inputs in local folder there will be no problem, if you enabled them in default folder (there's someone that does it), remember to enable the requested inputs.

Ciao.

Giuseppe

Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.

Can’t make it to .conf25? Join us online!

Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...