Getting Data In

How to upgrade 15 Solaris hosts from Splunk 4.1.3 to 6.4.0 universal forwarders?

sysadm43
New Member

As unix support staff drafted to be an inexperienced Splunk support staffer, I hope I can appeal to someone who knows what they are doing.

I've been tasked with updating about 15 Solaris hosts to the current version of Splunk. These hosts are all SplunkEnterprise installs that only perform forwarding. The funky part is that they are version 4.1.3, so it appears that I'll have to perform three in-place upgrades to bring each of them up to current. We do have a deployment server in place (that I don't have access to) which handles the configurations and the app forwarding to a cluster of indexers. No filtering is occurring as far as I can tell. My customer has already committed that we can leave logging offline for several hours during the upgrade process in order to handle the process more easily (as long as we reprocess the current system logs).

Given the number of steps involved, and having to coordinate with other staff for the deployment server, would it make more sense to simply replace the installation on each host with a new universal forwarder?

thanks in advance.....

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

I'm leaning towards a replace rather than an upgrade - I believe universal forwarders didn't exist back in 4.1, you probably have a light forwarder. That's a full install with many features disabled, while a universal forwarder is a separate, smaller install package.

Here's info on how to migrate checkpoint data from an older light forwarder to a universal forwarder: http://docs.splunk.com/Documentation/Splunk/6.4.0/Forwarding/Migrateanixforwarder
Without that checkpoint data, the new universal forwarder would re-read already forwarded data.

If set up correctly, the old forwarder got all its configuration from the deployment server so all you'd have to do on the new install would be to configure the deployment server... check with your splunk people if that's the case. Good indicators of the opposite are non-standard settings in $SPLUNK_HOME/etc/system/local.
Also, check with them that the tasks done by the current light forwarder actually are supported by a universal forwarder, see http://docs.splunk.com/Documentation/Splunk/6.4.0/Forwarding/Typesofforwarders - biggest difference is no bundled python, so scripted inputs might require installing python separately.

View solution in original post

ddrillic
Ultra Champion

We automate these processes using python scripts. It's worth it ; -)

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I'm leaning towards a replace rather than an upgrade - I believe universal forwarders didn't exist back in 4.1, you probably have a light forwarder. That's a full install with many features disabled, while a universal forwarder is a separate, smaller install package.

Here's info on how to migrate checkpoint data from an older light forwarder to a universal forwarder: http://docs.splunk.com/Documentation/Splunk/6.4.0/Forwarding/Migrateanixforwarder
Without that checkpoint data, the new universal forwarder would re-read already forwarded data.

If set up correctly, the old forwarder got all its configuration from the deployment server so all you'd have to do on the new install would be to configure the deployment server... check with your splunk people if that's the case. Good indicators of the opposite are non-standard settings in $SPLUNK_HOME/etc/system/local.
Also, check with them that the tasks done by the current light forwarder actually are supported by a universal forwarder, see http://docs.splunk.com/Documentation/Splunk/6.4.0/Forwarding/Typesofforwarders - biggest difference is no bundled python, so scripted inputs might require installing python separately.

sysadm43
New Member

Thanks for the assistance, and especially for the doc pointer to migrating checkpoints into universal forwarders. I'll hold to see if there are any dissenting opinions before committing to this path, but it certainly looks like it may be the best solution.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...