Deployment Architecture

How to update TA via Deployment Server?

daisy
Explorer

Hi all, from the available documentation, I am not getting how to practically update TA via Deplyoment server (i.e. distribute a newer version to the UFs via DS). If it matters, it is about the Add-On for Linux and Unix. I would imagine that it looks like this:

1) get the TA on the Deployment Server via GUI - go to  "install app from file" -> upload the downloaded .tgz file from splunkbase -> restart Splunk

2) Backup the used TA (older version)

3) Copy the TA (newer version) from the App folder into the deployment-apps folder (via cp -R)

4) Redeploy Deployment Server via  splunk reload deploy-server

5) Check if data is still being obnoarded properly

Am I missing anything? Is this approach valid? 

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @daisy,

No, you process isn't correct: if you load a TA from GUI, you install it on the Deployment Server, you cannot deploy it.

As you can read at https://docs.splunk.com/Documentation/Splunk/8.2.5/Updating/Aboutdeploymentserver the steps are:

  • copy (via SSH) the TA on the DS,
  • move (via SSH) the TA at $SPLUNK_HOME/etc/deployment-apps
  • untar (via SSH) the TA twice, to have the uncompressed folver,
  • remove (via SSH) the compressed files,
  • if you need to customize some conf file (e.g. to enable some disabled input), copy the conf file to modify from default to local folder and modify it by CLI,
  • Create or modify a ServerClass via GUI,
  • force the deploy via CLI using the command "splunk reaload deploy-server" or wait for the normal update.

Please avoid comments because I agree that's a very complicated way to manage deployment, I asked (in Splunk Ideas) to manage this process via GUI, but no answers, I continue to hope!

Ciao.

Giuseppe

View solution in original post

daisy
Explorer

Hi @gcusello - thank you very much. I have indeed used WinScp as well as MobaXTerm. But I am lacking the practical experience of updating TAs so I was wondering what the best way would be. Thank you, very much - you answered all my questions.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @daisy,

No, you process isn't correct: if you load a TA from GUI, you install it on the Deployment Server, you cannot deploy it.

As you can read at https://docs.splunk.com/Documentation/Splunk/8.2.5/Updating/Aboutdeploymentserver the steps are:

  • copy (via SSH) the TA on the DS,
  • move (via SSH) the TA at $SPLUNK_HOME/etc/deployment-apps
  • untar (via SSH) the TA twice, to have the uncompressed folver,
  • remove (via SSH) the compressed files,
  • if you need to customize some conf file (e.g. to enable some disabled input), copy the conf file to modify from default to local folder and modify it by CLI,
  • Create or modify a ServerClass via GUI,
  • force the deploy via CLI using the command "splunk reaload deploy-server" or wait for the normal update.

Please avoid comments because I agree that's a very complicated way to manage deployment, I asked (in Splunk Ideas) to manage this process via GUI, but no answers, I continue to hope!

Ciao.

Giuseppe

daisy
Explorer

Hi @gcusello thanks for the quick reply. I have some additional questions:

1) How do you get the TA on DS - do you download it on your laptop and then move via SSH?

2) Why do you need to untar the TA twice? via tar- xvzf should be sufficient to use the tar command once. Or do you mean to get from .tar.tgz the fully uncompressed folder?

3) Why do I need to modify the ServerClass via GUI? The TA name would stay the same so it should already be available. Or am I missing somethign here?

4) When untarring the TA, the local folder should be left untouched, right? As there should be custom configurations and I am afraid to lose these. Thus, I wrote that I would take backup before untarring, is this needed at all?

Thank you very much!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @daisy,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @daisy,

1) yes, to do this I use MobaXTerm, but you can also use WinSCP, as you like.

2) yes correct, I usually use two times the tar command but it's the same.

3) if you are deploying a new TA, you have to associate the new TA to a ServerClass, if instead you are modifying an already present TA, you don't need to update ServerClass.

4) if you take a TA from Splunk baseline, usually local folder isn't present, but you can check if there's something in the local folder of the new TA version.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...