All Apps and Add-ons

Upgrading Splunk apps by copying files-Is there a recommended way to update Splunk apps in clustered environments?

rev1ver
Explorer

Is there a recommended way to update Splunk apps in clustered environments?

Based on some app instructions, the recommended approach is to copy over the app archive contents into /etc/shcluster/apps/ (or /etc/manager-apps/ for CM). This overwrites existing contents and should preserve the local directory (unless the upgraded app has a local directory). Should I follow that for all apps?

Same question for standalone servers: should I use the above approach or use the install CLI command?

Labels (2)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Always start with the app's own installation/upgrade instructions, if any.  Otherwise, my usual practice is to download the app to the deployer/CM, untar it into the appropriate directory, make any necessary changes, then push the bundle.

tar -zxf Splunk_TA_foo.spl -C /opt/splunk/etc/manager-apps

You can use the same approach for standalone servers or you can use the UI, making sure to check the "Upgrade..." box.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Always start with the app's own installation/upgrade instructions, if any.  Otherwise, my usual practice is to download the app to the deployer/CM, untar it into the appropriate directory, make any necessary changes, then push the bundle.

tar -zxf Splunk_TA_foo.spl -C /opt/splunk/etc/manager-apps

You can use the same approach for standalone servers or you can use the UI, making sure to check the "Upgrade..." box.

---
If this reply helps you, Karma would be appreciated.

rev1ver
Explorer

>> make any necessary changes

Can you give an example of what kind of changes could be necessary at this step?

>>

tar -zxf Splunk_TA_foo.spl -C /opt/splunk/etc/manager-apps

 

Using that command, is the idea to copy the updated app folder on top of the old one, overwriting duplicate files?

Is that even relevant: are there use cases to have modified app files on the CM or SHD?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Necessary changes include removing the inputs.conf file from manager-apps apps and removing indexes.conf files from shcluster apps (except certain apps like myorg_all_indexes).

Yes, the tar command overwrites existing files with those from the .spl file.

Yes, there are use cases to modify apps in the CM or SHCD (see above), but those changes should be made to the local directory.

There are exceptions, of course.  Some apps ship with static lookup files so if you changed them locally you'll want to merge your local copy with the new one.

---
If this reply helps you, Karma would be appreciated.

splunkreal
Motivator

Hi @richgalloway discussing this subject with @gcusello at https://community.splunk.com/t5/All-Apps-and-Add-ons/How-would-you-update-customized-app-in-clustere...

 

For example we downloaded app from splunkbase.

We have done some local confs.

We want to get the latest one from splunkbase

if we untar new app into old app directory then we may see old remaining files which were used by old app but not in the new app?

Thanks for your opinion.

 

* If this helps, please upvote or accept solution 🙂 *
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you untar a new version of an app into $SPLUNK_HOME/etc/apps, it will overwrite all existing files except those in the local directory.  Note that any changes to files in the lookups directory will be replaced with files from the tarball.

---
If this reply helps you, Karma would be appreciated.

splunkreal
Motivator

Which command do you use?

In my opinion you will keep old deprecated or removed files from old app.

Thanks 🙂

* If this helps, please upvote or accept solution 🙂 *
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I use this command after first making a backup of the app's lookups directory.

tar -zxf <<app file>>.tgz -C /opt/splunk/etc/apps

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Oh, it's called manager-apps now? 😄

Anyway, in case of deploying to search heads you have to remember that you have several deployer push modes available.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...