Getting Data In
Highlighted

How to upgrade Apps (Palo Alto) on a Heavy Forwarder Cluster setup?

Path Finder

Hello community,

I just take over a cluster (which is not in full productive mode yet) and i want to update all settings / apps before go live.
The Palo Alto App for example is on 4.x, available already is 5.x.

The cluster consists of Heavy Forwarders, Indexer Cluster and Search Heads (incl. Cluster Master and Management Server).
I can not find any documentation which tells me how to upgrade apps on such an setup.

So how to start, and in which order?
1. Create a new deplyoment app (deplyoment server) for the HF
2. Create a new shccluster app for the Search Heads
3. Create a new master app for the indexer cluster?

But what about the already installed Palo Alto App 4.x and the configuration files (local/transforms.conf...).
Do I need to uninstall the App first? Migrate the conf files by hand? Or is Splunk aware of the ugprade?

Thanks for your help.

0 Karma
Highlighted

Re: How to upgrade Apps (Palo Alto) on a Heavy Forwarder Cluster setup?

Path Finder

Looks like the documentation: http://docs.splunk.com/Documentation/Splunk/6.4.1/DistSearch/PropagateSHCconfigurationchanges points in some direction: To update an app on the cluster members, put the updated version in the configuration bundle.

But what does this mean technically? Untar the App and overwrite the existing one? What to do with the system/local/* files?

0 Karma
Highlighted

Re: How to upgrade Apps (Palo Alto) on a Heavy Forwarder Cluster setup?

Path Finder

Resolved:

Simple extract the new App into the existing app directory and overwrite all files (some backup would be helpful), local/ should be untouched. Follow the upgrade instructions from the app itself.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.