Installation

Splunk Upgradtation tar/rpm

PramodhKumar
Explorer

Hi Folks,

We are planned to upgrade our Splunk 7.2.4 to 8.0.3.

7.2.4 was installed using rpm package.

We are thinking to upgrade using tarball.

Since earlier version is installed using rpm, OS still lists old package for this command "rpm -qa | grep splunk"

Does this really matters and can i just remove that package by rpm -e after up gradation?

Or should I go with rpm up gradation only?

Could you please explain whats the difference between rpm and tar...

Any help is highly appreciated..

Thanks,
Pramodh

Labels (1)
0 Karma
1 Solution

PavelP
Motivator

Hello @PramodhKumar

to delete an entry in the rpm database without deleting the rpm package you can use

  rpm -e --justdb splunk

Difference between tgz and rpm: tgz is a tar archive, it is like a ZIP archive that additionally can preserve linux permissions and store special file types like links.

We are thinking to upgrade using tarball - what are your reasons to switch from rpm to tgz?

OS still lists old package for this command "rpm -qa | grep splunk" - since you changed files outside of rpm DB, from the rpm's database point of view your splunk installation is inconsistent with a reference information.

can i just remove that package by rpm -e after up gradation? - don't do this (unless you have a backup), it will remove 99% of files in /opt/splunk folder

Or should I go with rpm up gradation only? - yes please, unless you have good reasons to switch to tgz.

I can imagine a tgz over rpm will work if you know what you are doing.

Technically a tgz file contains the same files as rpm, but rpm does some extra work for you during the install/upgrade/uninstall:

  • checks prerequisites
  • adds user and group splunk
  • detects if it is an install and gratefully stops running splunk
  • etc.

Advantages of rpm/deb packages :

  • easy to install/deinstall
  • correct permissions (forget about chown/chmod -R)
  • easy to upgrade/downgrade
  • easy to verify that the package was installed correctly
  • easy to check which files were changed (rpm -V packagename)

View solution in original post

0 Karma

koshyk
Super Champion

Just to add to PavelP's answer, in large organisations/installations RPM have much more advantages

- Some organisations want strict control on softwares installed and should be done via RPM to be automatically registered

- puppet/orchestration softwares much like standard installations where they can check previous version install and new version etc.

- tar.gz will NOT remove previous versions remnants. This means over multiple iterations of upgrade you will be left with un-necessary files. So may be a clean-up activity required after upgrade

- Lot of softwares get information from RPM database. a central database with all packages installed, which files they own, their interdependencies. So querying tools/cmdb/scanners can easily get this information in detailed way

 

Of course, the main disadvantage of RPM is you "root" access (or need Linux admin person) during installation/upgrade

PavelP
Motivator

Hello @PramodhKumar

to delete an entry in the rpm database without deleting the rpm package you can use

  rpm -e --justdb splunk

Difference between tgz and rpm: tgz is a tar archive, it is like a ZIP archive that additionally can preserve linux permissions and store special file types like links.

We are thinking to upgrade using tarball - what are your reasons to switch from rpm to tgz?

OS still lists old package for this command "rpm -qa | grep splunk" - since you changed files outside of rpm DB, from the rpm's database point of view your splunk installation is inconsistent with a reference information.

can i just remove that package by rpm -e after up gradation? - don't do this (unless you have a backup), it will remove 99% of files in /opt/splunk folder

Or should I go with rpm up gradation only? - yes please, unless you have good reasons to switch to tgz.

I can imagine a tgz over rpm will work if you know what you are doing.

Technically a tgz file contains the same files as rpm, but rpm does some extra work for you during the install/upgrade/uninstall:

  • checks prerequisites
  • adds user and group splunk
  • detects if it is an install and gratefully stops running splunk
  • etc.

Advantages of rpm/deb packages :

  • easy to install/deinstall
  • correct permissions (forget about chown/chmod -R)
  • easy to upgrade/downgrade
  • easy to verify that the package was installed correctly
  • easy to check which files were changed (rpm -V packagename)
0 Karma

JyPl4wNYu7GV1uL
Engager

Anybody got opinions on the opposite situation?

I've always upgraded splunk using a tarball and extracted over top the prior /opt/splunk installation: ~6 upgrades.

Now I'd like to switch to RPM, for all the stated advantages.  Any issues I need to worry about by installing the RPM over a prior tarball install?

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. This is a quite old thread. You'd be better off by starting a new one (possibly putting link to this one for reference).

2. Generally speaking, as a good practice:

 - don't mix management with package manager with manually dropping in files. It can end badly.

- If you have a package for your system it's often (although not always; there are sometimes very badly built packages) a better solution

I'm not sure about Splunk but depending on how/where you installed your software before, the RPM might not fit exactly that layout.

So while you can try to install RPM package over a tarball-based /opt/splunk, I think I'd try to go for backup/remove/install/restore.

Oh, and don't try to mess with your production server without testing it in dev environment.

0 Karma

PramodhKumar
Explorer

Hi @PavelP

Thank you so much for picking this up...

Here is some info

what are your reasons to switch from rpm to tgz? - we are more familiar with tar and up gradation was successful in test environment.
But, rpm -qa is listing old(you clarified that above) and no other particular reason apart.

OK, I understand the difference now. Can you please suggest on below.

  1. Since we have successfully upgraded using tar, are we good to go same at prod? If Yes,
  2. How to delete that rpm package from rpm DB.
  3. And does this affect bootstart init script, suppose OS restarts and things may seem to be inconsistent after reboot.

  4. Or let downgrade Splunk and upgrade it again in test using rpm, if everything goes fine then proceed to prod with rpm?

0 Karma

PavelP
Motivator

Hello @PramodhKumar

you can use

  rpm -e --justdb splunk

I've updated the answer, please accept it if it resolve your query

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...