Deployment Architecture

Upgrade all universal forwarders using deployment servers. Is it possible as of 6.0.2?

gozulin
Communicator

we're having problems with a splunk bug (SPL-78457) and we need to upgrade our 128+ universal forwarders (linux+solaris) to version 6.0.2.

Can we do this using the deployment server? I really hope so!

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Yeah... upgrading forwarders using Deployment Server isn't possible. All it does is roll out apps with Splunk configuration in them.

View solution in original post

christianvalin
Explorer

This lack of functionality seems like silliness... what if we created an app that ran a script or batch file (whatever matches the client) which in effect does:
a) retrieves a new pkg or msi to the client from wherever you host the new UF version if the local (client version does not match what is on the hosted location) - ok maybe even check the package download/copy for accuracy (using hash)
b) stop the UF locally (on the client)
c) runs the new pkg or msi (which by default the UF will auto-start yes? or if no, start the local UF).
d) exits gracefully.

so this would be an experiment but I bet someone has come up with this already (anyone have a working example?)

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you run that yourself it works, but if you let splunk invoke that as a scripted input the scripted input will terminate when splunk terminates.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Give it a go yourself. Save a foo.bat file in etc/system/bin and enable that as a scripted input. Put this into the file:

path\to\splunk\bin\splunk stop
path\to\splunk\bin\splunk start

Same approach but different slashes for 'nix. You'll see your Splunk stopped, but not started.

0 Karma

christianvalin
Explorer

Works for me if I invoke it with cmd.exe batchfilename.bat or Linux-esque 'myrefresh.sh &'

0 Karma

christianvalin
Explorer

Point b would not stop the script; the script or batch file runs independently - it is an invoked process. What it is - a little wasteful because each time the client checks in, it would invoke the script. But then again, do clients need to check in every five minutes? In most environments, probably not and every so many hours may suffice. Just saying.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Point b would stop your script.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Yeah... upgrading forwarders using Deployment Server isn't possible. All it does is roll out apps with Splunk configuration in them.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...