The upgrade process on linux is basically to unpack the tgz file over the existing splunk home directory.
I understand that will add any new file where they need to be, update any file that needs updating, but what about the files that are no longer needed after the upgrade? Are they ever removed or do we just accumulate rubbish over the years?
If you update/upgrade in situ The Right Way™, no - [almost] nothing "old" is ever removed: all you're ever doing is unpacking new files overtop of old ones and/or adding new files.
However, the volume of "rubbish" you accumulate "over the years" is pretty darn tiny - maybe on the order of a couple megs every time you update.
If you want to avoid even those few megs of accumulating "junk files", you can always use something like Ansible to deploy new Splunk hosts at the current rev as new installs, add them into your environment (all those pass4symkey
entries, etc), then decommision old hosts, then update to the next rev.
That would ensure you're never holding more than one version's "rubbish" on your hosts
If you update/upgrade in situ The Right Way™, no - [almost] nothing "old" is ever removed: all you're ever doing is unpacking new files overtop of old ones and/or adding new files.
However, the volume of "rubbish" you accumulate "over the years" is pretty darn tiny - maybe on the order of a couple megs every time you update.
If you want to avoid even those few megs of accumulating "junk files", you can always use something like Ansible to deploy new Splunk hosts at the current rev as new installs, add them into your environment (all those pass4symkey
entries, etc), then decommision old hosts, then update to the next rev.
That would ensure you're never holding more than one version's "rubbish" on your hosts
Thanks. Maybe things are not too bad for splunk core.
Have you ever used Enterprise Security? It has a health check feature that reveals a LOT of "unshipped" files, and a significant portion of these really do not look like anything the team could ever have created themselves. So I believe they are accumulated junk, except I don't feel confident removing them.
The same basic principles apply for all things Splunk that I've yet seen (apps, add-ons, Core, etc) - other than maybe UBA: files get overwritten, but rarely get removed