How to upgrade Apps (Palo Alto) on a Heavy Forward...

splk · ‎07-04-2016

Hello community,

I just take over a cluster (which is not in full productive mode yet) and i want to update all settings / apps before go live.
The Palo Alto App for example is on 4.x, available already is 5.x.

The cluster consists of Heavy Forwarders, Indexer Cluster and Search Heads (incl. Cluster Master and Management Server).
I can not find any documentation which tells me how to upgrade apps on such an setup.

So how to start, and in which order?
1. Create a new deplyoment app (deplyoment server) for the HF
2. Create a new shccluster app for the Search Heads
3. Create a new master app for the indexer cluster?

But what about the already installed Palo Alto App 4.x and the configuration files (local/transforms.conf...).
Do I need to uninstall the App first? Migrate the conf files by hand? Or is Splunk aware of the ugprade?

Thanks for your help.

splk · ‎08-31-2016

Resolved:

Simple extract the new App into the existing app directory and overwrite all files (some backup would be helpful), local/ should be untouched. Follow the upgrade instructions from the app itself.

splk · ‎07-05-2016

Looks like the documentation: http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/PropagateSHCconfigurationchanges points in some direction: To update an app on the cluster members, put the updated version in the configuration bundle.

But what does this mean technically? Untar the App and overwrite the existing one? What to do with the system/local/* files?

How to upgrade Apps (Palo Alto) on a Heavy Forwarder Cluster setup?

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!