Getting Data In

Why did upgrading my Universal Forwarder result in a license violation?

arkonner
Path Finder

I am monitoring the directory where IIS logs are stored. The universal forwarder is sending the information on a dedicated index.

To upgrade the universal forwarder, I saved the customization files then I uninstalled the previous version. Then I installed the latest version copying the customization.

As result the universal forwarder re-indexed all files in the logs directory introducing a license violation.

Is it possible to avoid this behaviour saving the previous status of the indexed logs?

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

You should not have uninstalled the forwarder, you install the new version over the existing forwarder.. When you wiped out the existing forwarder, you cleared the fishbucket which tells Splunk that the data has already been indexed

http://docs.splunk.com/Documentation/Forwarder/6.5.1/Forwarder/Upgradethenixuniversalforwarder

Here's a good blog describing what the fishbucket is and how wiping it out will cause you to reindex the logs
http://blogs.splunk.com/2008/08/14/what-is-this-fishbucket-thing/

View solution in original post

skoelpin
SplunkTrust
SplunkTrust

You should not have uninstalled the forwarder, you install the new version over the existing forwarder.. When you wiped out the existing forwarder, you cleared the fishbucket which tells Splunk that the data has already been indexed

http://docs.splunk.com/Documentation/Forwarder/6.5.1/Forwarder/Upgradethenixuniversalforwarder

Here's a good blog describing what the fishbucket is and how wiping it out will cause you to reindex the logs
http://blogs.splunk.com/2008/08/14/what-is-this-fishbucket-thing/

arkonner
Path Finder

I uninstalled the universal forwarder due to a security policy that blocks files modification by a user or program running without admin rights - However, I was not aware about it - thank you for your reply.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Can you accept the answer and close out the question?

0 Karma

ddrillic
Ultra Champion

Be aware also of the ignoreOlderThan parameter at Edit inputs.conf

-- Causes the monitored input to stop checking files for updates if their modification time (modtime) has passed the threshold

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...