All Apps and Add-ons

Upgrading Splunk apps by copying files-Is there a recommended way to update Splunk apps in clustered environments?

rev1ver
Explorer

Is there a recommended way to update Splunk apps in clustered environments?

Based on some app instructions, the recommended approach is to copy over the app archive contents into /etc/shcluster/apps/ (or /etc/manager-apps/ for CM). This overwrites existing contents and should preserve the local directory (unless the upgraded app has a local directory). Should I follow that for all apps?

Same question for standalone servers: should I use the above approach or use the install CLI command?

Labels (2)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Always start with the app's own installation/upgrade instructions, if any.  Otherwise, my usual practice is to download the app to the deployer/CM, untar it into the appropriate directory, make any necessary changes, then push the bundle.

tar -zxf Splunk_TA_foo.spl -C /opt/splunk/etc/manager-apps

You can use the same approach for standalone servers or you can use the UI, making sure to check the "Upgrade..." box.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Always start with the app's own installation/upgrade instructions, if any.  Otherwise, my usual practice is to download the app to the deployer/CM, untar it into the appropriate directory, make any necessary changes, then push the bundle.

tar -zxf Splunk_TA_foo.spl -C /opt/splunk/etc/manager-apps

You can use the same approach for standalone servers or you can use the UI, making sure to check the "Upgrade..." box.

---
If this reply helps you, Karma would be appreciated.

rev1ver
Explorer

>> make any necessary changes

Can you give an example of what kind of changes could be necessary at this step?

>>

tar -zxf Splunk_TA_foo.spl -C /opt/splunk/etc/manager-apps

 

Using that command, is the idea to copy the updated app folder on top of the old one, overwriting duplicate files?

Is that even relevant: are there use cases to have modified app files on the CM or SHD?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Necessary changes include removing the inputs.conf file from manager-apps apps and removing indexes.conf files from shcluster apps (except certain apps like myorg_all_indexes).

Yes, the tar command overwrites existing files with those from the .spl file.

Yes, there are use cases to modify apps in the CM or SHCD (see above), but those changes should be made to the local directory.

There are exceptions, of course.  Some apps ship with static lookup files so if you changed them locally you'll want to merge your local copy with the new one.

---
If this reply helps you, Karma would be appreciated.

realsplunk
Motivator

Hi @richgalloway discussing this subject with @gcusello at https://community.splunk.com/t5/All-Apps-and-Add-ons/How-would-you-update-customized-app-in-clustere...

 

For example we downloaded app from splunkbase.

We have done some local confs.

We want to get the latest one from splunkbase

if we untar new app into old app directory then we may see old remaining files which were used by old app but not in the new app?

Thanks for your opinion.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you untar a new version of an app into $SPLUNK_HOME/etc/apps, it will overwrite all existing files except those in the local directory.  Note that any changes to files in the lookups directory will be replaced with files from the tarball.

---
If this reply helps you, Karma would be appreciated.

realsplunk
Motivator

Which command do you use?

In my opinion you will keep old deprecated or removed files from old app.

Thanks 🙂

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I use this command after first making a backup of the app's lookups directory.

tar -zxf <<app file>>.tgz -C /opt/splunk/etc/apps

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
Ultra Champion

Oh, it's called manager-apps now? 😄

Anyway, in case of deploying to search heads you have to remember that you have several deployer push modes available.

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...