During Splunk upgrade (5.0.5 to 6.2.5) of our indexers, search head, deployment server we have noticed that all the deployment apps get refreshed in all the deployment clients and a lot of the universal forwarders do not restart and we have to manually restart it. Note: We are not upgrading the universal forwarders. Is there a way to prevent this from happening. During the upgrade, i don't think any change should happen to the serverclass and/or the deployment apps for the clients to get refreshed.
I believe the serverclasses are refreshed when the deployment server is restarted. One way you could avoid the agent restart is to check in your serverclass.conf and remove/comment out any instances of
restartSplunkd = true.
My guess would be that version upgrade on Deployment Servers is causing the bundle checksum (a handler deployment clients use to check if there is updated apps are available in deployment server) to get changed and all deployment clients are downloading apps with updated checksum.