Hi All,
We are planning to upgrade Splunk from 6.4.3 to 6.5.2 before we upgrade to 7.2 or 7.3.
I can see the installation uses the symbolic link to the Splunk version, in our case it's Splunk 6.4.3 linked to rel
rel -> splunk-6.4.3
$SPLUNK_HOME is set to /app/splunk/rel, I believe I need to unlink the symbolic link before the upgrade and run the below command in /app and NOT in /app/splunk folder. Just not sure about this. Hopefully someone can shed some light here, please.
tar -xzf splunk-6.5.2-67571ef4b87d-Linux-x86_64.tgz -C /app
Please do let me know if this approach would work. Any help is much appreciated.
The command you have will create /app/splunk. If that's your desired state, you'd be best off moving Splunk there first so you untar over the old files. You don't need to preserve the old version - it's best to just tar over the old files, and if you for some reason need to revert to the old version, just untar the old version on top.
I'd shut down splunk, do mv /app/splunk/splunk-6.4.3/* /app/splunk
, and then clean up the old stuff with an rmdir /app/splunk/splunk-6.4.3
and rm /app/splunk/rel
. Then do tar -zxf splunk-6.5.2-67571ef4b87d-Linux-x86_64.tgz -C /app
, and you'll be all set (make sure to change the $SPLUNK_HOME variable in your splunk_launch.conf if it's hard-coded - usually you don't need to hard-code that since it's automatically the parent directory of the bin directory).
Splunk by default is installed in /opt/splunk if you use the RPM, so you might want to move things there (only because it may confuse people less when you ask questions on here).
After you've done your untar, run the splunk enable boot-start command, so it rewrites your /etc/init.d/splunk startup script, just in case that's hard-coded to the old /app/splunk/rel
Any reason why you're going to 6.5.2 instead of 6.6.12? If you're going to migrate to 7, best to be at the latest 6 before you do. I recommend 7.2.7 over 7.3.0 (just because 7.3.0 is just released, and unless you need the latest features, it's best to wait for that first dot release).
The command you have will create /app/splunk. If that's your desired state, you'd be best off moving Splunk there first so you untar over the old files. You don't need to preserve the old version - it's best to just tar over the old files, and if you for some reason need to revert to the old version, just untar the old version on top.
I'd shut down splunk, do mv /app/splunk/splunk-6.4.3/* /app/splunk
, and then clean up the old stuff with an rmdir /app/splunk/splunk-6.4.3
and rm /app/splunk/rel
. Then do tar -zxf splunk-6.5.2-67571ef4b87d-Linux-x86_64.tgz -C /app
, and you'll be all set (make sure to change the $SPLUNK_HOME variable in your splunk_launch.conf if it's hard-coded - usually you don't need to hard-code that since it's automatically the parent directory of the bin directory).
Splunk by default is installed in /opt/splunk if you use the RPM, so you might want to move things there (only because it may confuse people less when you ask questions on here).
After you've done your untar, run the splunk enable boot-start command, so it rewrites your /etc/init.d/splunk startup script, just in case that's hard-coded to the old /app/splunk/rel
Any reason why you're going to 6.5.2 instead of 6.6.12? If you're going to migrate to 7, best to be at the latest 6 before you do. I recommend 7.2.7 over 7.3.0 (just because 7.3.0 is just released, and unless you need the latest features, it's best to wait for that first dot release).
thanks a lot @vliggio
Great answer. I want to emphasize the point about upgrading to 6.6, not 6.5 so you're better suited for getting to 7.x. Also the point about the rpm or the tgz being flexible as to where they install. Tar uses the -C
parameter and rpm uses the --prefix=
parameter.