As unix support staff drafted to be an inexperienced Splunk support staffer, I hope I can appeal to someone who knows what they are doing.
I've been tasked with updating about 15 Solaris hosts to the current version of Splunk. These hosts are all SplunkEnterprise installs that only perform forwarding. The funky part is that they are version 4.1.3, so it appears that I'll have to perform three in-place upgrades to bring each of them up to current. We do have a deployment server in place (that I don't have access to) which handles the configurations and the app forwarding to a cluster of indexers. No filtering is occurring as far as I can tell. My customer has already committed that we can leave logging offline for several hours during the upgrade process in order to handle the process more easily (as long as we reprocess the current system logs).
Given the number of steps involved, and having to coordinate with other staff for the deployment server, would it make more sense to simply replace the installation on each host with a new universal forwarder?
thanks in advance.....
I'm leaning towards a replace rather than an upgrade - I believe universal forwarders didn't exist back in 4.1, you probably have a light forwarder. That's a full install with many features disabled, while a universal forwarder is a separate, smaller install package.
Here's info on how to migrate checkpoint data from an older light forwarder to a universal forwarder: http://docs.splunk.com/Documentation/Splunk/6.4.0/Forwarding/Migrateanixforwarder
Without that checkpoint data, the new universal forwarder would re-read already forwarded data.
If set up correctly, the old forwarder got all its configuration from the deployment server so all you'd have to do on the new install would be to configure the deployment server... check with your splunk people if that's the case. Good indicators of the opposite are non-standard settings in $SPLUNK_HOME/etc/system/local.
Also, check with them that the tasks done by the current light forwarder actually are supported by a universal forwarder, see http://docs.splunk.com/Documentation/Splunk/6.4.0/Forwarding/Typesofforwarders - biggest difference is no bundled python, so scripted inputs might require installing python separately.
We automate these processes using python scripts. It's worth it ; -)
I'm leaning towards a replace rather than an upgrade - I believe universal forwarders didn't exist back in 4.1, you probably have a light forwarder. That's a full install with many features disabled, while a universal forwarder is a separate, smaller install package.
Here's info on how to migrate checkpoint data from an older light forwarder to a universal forwarder: http://docs.splunk.com/Documentation/Splunk/6.4.0/Forwarding/Migrateanixforwarder
Without that checkpoint data, the new universal forwarder would re-read already forwarded data.
If set up correctly, the old forwarder got all its configuration from the deployment server so all you'd have to do on the new install would be to configure the deployment server... check with your splunk people if that's the case. Good indicators of the opposite are non-standard settings in $SPLUNK_HOME/etc/system/local.
Also, check with them that the tasks done by the current light forwarder actually are supported by a universal forwarder, see http://docs.splunk.com/Documentation/Splunk/6.4.0/Forwarding/Typesofforwarders - biggest difference is no bundled python, so scripted inputs might require installing python separately.
Thanks for the assistance, and especially for the doc pointer to migrating checkpoints into universal forwarders. I'll hold to see if there are any dissenting opinions before committing to this path, but it certainly looks like it may be the best solution.