Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with upgrading Splunk from version 6.4.3 to 6.5.2 in Linux.

ashrafshareeb
Path Finder
‎07-17-2019 02:16 AM

Hi All,

We are planning to upgrade Splunk from 6.4.3 to 6.5.2 before we upgrade to 7.2 or 7.3.

I can see the installation uses the symbolic link to the Splunk version, in our case it's Splunk 6.4.3 linked to rel

rel -> splunk-6.4.3

$SPLUNK_HOME is set to /app/splunk/rel, I believe I need to unlink the symbolic link before the upgrade and run the below command in /app and NOT in /app/splunk folder. Just not sure about this. Hopefully someone can shed some light here, please.

tar -xzf splunk-6.5.2-67571ef4b87d-Linux-x86_64.tgz -C /app

Please do let me know if this approach would work. Any help is much appreciated.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vliggio
Communicator
‎07-17-2019 05:57 AM

The command you have will create /app/splunk. If that's your desired state, you'd be best off moving Splunk there first so you untar over the old files. You don't need to preserve the old version - it's best to just tar over the old files, and if you for some reason need to revert to the old version, just untar the old version on top.

I'd shut down splunk, do mv /app/splunk/splunk-6.4.3/* /app/splunk, and then clean up the old stuff with an rmdir /app/splunk/splunk-6.4.3 and rm /app/splunk/rel. Then do tar -zxf splunk-6.5.2-67571ef4b87d-Linux-x86_64.tgz -C /app, and you'll be all set (make sure to change the $SPLUNK_HOME variable in your splunk_launch.conf if it's hard-coded - usually you don't need to hard-code that since it's automatically the parent directory of the bin directory).

Splunk by default is installed in /opt/splunk if you use the RPM, so you might want to move things there (only because it may confuse people less when you ask questions on here).

After you've done your untar, run the splunk enable boot-start command, so it rewrites your /etc/init.d/splunk startup script, just in case that's hard-coded to the old /app/splunk/rel

Any reason why you're going to 6.5.2 instead of 6.6.12? If you're going to migrate to 7, best to be at the latest 6 before you do. I recommend 7.2.7 over 7.3.0 (just because 7.3.0 is just released, and unless you need the latest features, it's best to wait for that first dot release).

View solution in original post

Reply
Solved! Jump to solution
Solution

vliggio
Communicator
‎07-17-2019 05:57 AM

The command you have will create /app/splunk. If that's your desired state, you'd be best off moving Splunk there first so you untar over the old files. You don't need to preserve the old version - it's best to just tar over the old files, and if you for some reason need to revert to the old version, just untar the old version on top.

I'd shut down splunk, do mv /app/splunk/splunk-6.4.3/* /app/splunk, and then clean up the old stuff with an rmdir /app/splunk/splunk-6.4.3 and rm /app/splunk/rel. Then do tar -zxf splunk-6.5.2-67571ef4b87d-Linux-x86_64.tgz -C /app, and you'll be all set (make sure to change the $SPLUNK_HOME variable in your splunk_launch.conf if it's hard-coded - usually you don't need to hard-code that since it's automatically the parent directory of the bin directory).

Splunk by default is installed in /opt/splunk if you use the RPM, so you might want to move things there (only because it may confuse people less when you ask questions on here).

After you've done your untar, run the splunk enable boot-start command, so it rewrites your /etc/init.d/splunk startup script, just in case that's hard-coded to the old /app/splunk/rel

Any reason why you're going to 6.5.2 instead of 6.6.12? If you're going to migrate to 7, best to be at the latest 6 before you do. I recommend 7.2.7 over 7.3.0 (just because 7.3.0 is just released, and unless you need the latest features, it's best to wait for that first dot release).

Reply
Solved! Jump to solution

ashrafshareeb
Path Finder
‎07-24-2019 01:23 PM

thanks a lot @vliggio

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎07-17-2019 06:55 AM

Great answer. I want to emphasize the point about upgrading to 6.6, not 6.5 so you're better suited for getting to 7.x. Also the point about the rpm or the tgz being flexible as to where they install. Tar uses the -C parameter and rpm uses the --prefix= parameter.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...