Deployment Architecture

Upgrade all universal forwarders using deployment servers. Is it possible as of 6.0.2?

gozulin
Communicator

we're having problems with a splunk bug (SPL-78457) and we need to upgrade our 128+ universal forwarders (linux+solaris) to version 6.0.2.

Can we do this using the deployment server? I really hope so!

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Yeah... upgrading forwarders using Deployment Server isn't possible. All it does is roll out apps with Splunk configuration in them.

View solution in original post

christianvalin
Explorer

This lack of functionality seems like silliness... what if we created an app that ran a script or batch file (whatever matches the client) which in effect does:
a) retrieves a new pkg or msi to the client from wherever you host the new UF version if the local (client version does not match what is on the hosted location) - ok maybe even check the package download/copy for accuracy (using hash)
b) stop the UF locally (on the client)
c) runs the new pkg or msi (which by default the UF will auto-start yes? or if no, start the local UF).
d) exits gracefully.

so this would be an experiment but I bet someone has come up with this already (anyone have a working example?)

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you run that yourself it works, but if you let splunk invoke that as a scripted input the scripted input will terminate when splunk terminates.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Give it a go yourself. Save a foo.bat file in etc/system/bin and enable that as a scripted input. Put this into the file:

path\to\splunk\bin\splunk stop
path\to\splunk\bin\splunk start

Same approach but different slashes for 'nix. You'll see your Splunk stopped, but not started.

0 Karma

christianvalin
Explorer

Works for me if I invoke it with cmd.exe batchfilename.bat or Linux-esque 'myrefresh.sh &'

0 Karma

christianvalin
Explorer

Point b would not stop the script; the script or batch file runs independently - it is an invoked process. What it is - a little wasteful because each time the client checks in, it would invoke the script. But then again, do clients need to check in every five minutes? In most environments, probably not and every so many hours may suffice. Just saying.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Point b would stop your script.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Yeah... upgrading forwarders using Deployment Server isn't possible. All it does is roll out apps with Splunk configuration in them.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...