We have Splunk Add-on for Unix and Linux 8.2.0 installed and need to upgrade it to the latest version (8.10.0). Request someone to help if I can directly upgrade it to 8.10 or should there be an incremental upgrade. IS there any feature that will be affected in my existing set-up due to the upgrade. Also, what are the steps that should be taken while I perform this so as to not lose any of my existing configs. Is there any documentation for this.
HI @AMAN0113,
if you didn't do any customization you can directly do you upgrade to tha latest version.
You can update using the deployment method you have in use: Deployment Server o manually.
Only one check: if you enabled inputs in local folder there will be no problem, if you enabled them in default folder (there's someone that does it), remember to enable the requested inputs.
Ciao.
Giuseppe
Hi @gcusello,
Thanks for your inputs.
A follow up question, Do I have to expect any data loss during the upgrade? or is the add-on capable of backfilling the data lost during the time of upgrade. Also do I need to restart splunk on my server for the changes to reflect?
Hi @AMAN0113,
on HF the upgrade made by GUI doesn't require restart, other wise you have to restart the forwarder.
During restart you don't loss any data, because logs are written by Linux in files that are read by the forwarder when it restarts, you'll only have a delay in indexing.
Obviously scripts aren't executed during restart, but they will executed at the next scheduled time.
Let us know if we can help you more, or, please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
One remarks. As @gcusello said you don't lost any data which are based on files. But there are some scripts which are using commands like ps, netstats, sar etc. to collect data by periods. When your TA is not on place and those inputs are not run, you obviously lost those event as those inputs scripts haven't run. But that should be any real issue.
Hi
as you can see from https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Upgrade there are something which you must/should check before you could do an update.
r. Ismo
HI @AMAN0113,
if you didn't do any customization you can directly do you upgrade to tha latest version.
You can update using the deployment method you have in use: Deployment Server o manually.
Only one check: if you enabled inputs in local folder there will be no problem, if you enabled them in default folder (there's someone that does it), remember to enable the requested inputs.
Ciao.
Giuseppe