I have a small full instance of Splunk used for testing. It's installed on RHEL 7 via tarball.
I've followed the directions on the Splunk site about stopping Splunk services and then installing over top of the existing installation (tar -xzf -C /opt/splunk) then starting Splunk services. The directions indicate you should be prompted as Splunk recognizes there's an install already and that it will attempt to upgrade your instance.
When I start Splunk it never prompts me to upgrade, furthermore it starts Splunk normally. I log into the web GUI and see 7.2.2 still. I looked in ~/etc/system/default and noticed none of the files were touched.
I tried both 7.2.6 and 7.2.5 tarballs, and got the same result. I completely uninstalled my 7.2.2 and reinstalled it, then tried to upgrade it again to no avail.
Am I missing a step?
With your command of tar -xzf -C /opt/splunk , can you confirm that the directory;
/opt/splunk/splunk does not exist?
Just to confirm that you are actually overwriting the files in /opt/splunk/bin et cetera.
Normally I've seen the -C option to tar been:
tar -xzf splunkinstallation.tar.gz -C /opt
Yes this worked. I must've underestimated the splunk overwriting capability. The '-C /opt' instead of '-C /opt/splunk' worked flawlessly for me.
For education, I want to highlight that this was more about how the
tar command works than Splunk. Some installers (like
.rpm) will detect and overwrite. The
tar command simply unpacks the compressed package (like a
.zip file) and that's why it's imperative to do that unpacking such that the files overwrite the existing installation. If not, then you'll simply be creating a new Splunk install at another folder.