- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Splunk Upgradtation tar/rpm
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Folks,
We are planned to upgrade our Splunk 7.2.4 to 8.0.3.
7.2.4 was installed using rpm package.
We are thinking to upgrade using tarball.
Since earlier version is installed using rpm, OS still lists old package for this command "rpm -qa | grep splunk"
Does this really matters and can i just remove that package by rpm -e after up gradation?
Or should I go with rpm up gradation only?
Could you please explain whats the difference between rpm and tar...
Any help is highly appreciated..
Thanks,
Pramodh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @PramodhKumar
to delete an entry in the rpm database without deleting the rpm package you can use
rpm -e --justdb splunk
Difference between tgz and rpm: tgz is a tar archive, it is like a ZIP archive that additionally can preserve linux permissions and store special file types like links.
We are thinking to upgrade using tarball - what are your reasons to switch from rpm to tgz?
OS still lists old package for this command "rpm -qa | grep splunk" - since you changed files outside of rpm DB, from the rpm's database point of view your splunk installation is inconsistent with a reference information.
can i just remove that package by rpm -e after up gradation? - don't do this (unless you have a backup), it will remove 99% of files in /opt/splunk folder
Or should I go with rpm up gradation only? - yes please, unless you have good reasons to switch to tgz.
I can imagine a tgz over rpm will work if you know what you are doing.
Technically a tgz file contains the same files as rpm, but rpm does some extra work for you during the install/upgrade/uninstall:
- checks prerequisites
- adds user and group splunk
- detects if it is an install and gratefully stops running splunk
- etc.
Advantages of rpm/deb packages :
- easy to install/deinstall
- correct permissions (forget about chown/chmod -R)
- easy to upgrade/downgrade
- easy to verify that the package was installed correctly
- easy to check which files were changed (rpm -V packagename)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to add to PavelP's answer, in large organisations/installations RPM have much more advantages
- Some organisations want strict control on softwares installed and should be done via RPM to be automatically registered
- puppet/orchestration softwares much like standard installations where they can check previous version install and new version etc.
- tar.gz will NOT remove previous versions remnants. This means over multiple iterations of upgrade you will be left with un-necessary files. So may be a clean-up activity required after upgrade
- Lot of softwares get information from RPM database. a central database with all packages installed, which files they own, their interdependencies. So querying tools/cmdb/scanners can easily get this information in detailed way
Of course, the main disadvantage of RPM is you "root" access (or need Linux admin person) during installation/upgrade
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @PramodhKumar
to delete an entry in the rpm database without deleting the rpm package you can use
rpm -e --justdb splunk
Difference between tgz and rpm: tgz is a tar archive, it is like a ZIP archive that additionally can preserve linux permissions and store special file types like links.
We are thinking to upgrade using tarball - what are your reasons to switch from rpm to tgz?
OS still lists old package for this command "rpm -qa | grep splunk" - since you changed files outside of rpm DB, from the rpm's database point of view your splunk installation is inconsistent with a reference information.
can i just remove that package by rpm -e after up gradation? - don't do this (unless you have a backup), it will remove 99% of files in /opt/splunk folder
Or should I go with rpm up gradation only? - yes please, unless you have good reasons to switch to tgz.
I can imagine a tgz over rpm will work if you know what you are doing.
Technically a tgz file contains the same files as rpm, but rpm does some extra work for you during the install/upgrade/uninstall:
- checks prerequisites
- adds user and group splunk
- detects if it is an install and gratefully stops running splunk
- etc.
Advantages of rpm/deb packages :
- easy to install/deinstall
- correct permissions (forget about chown/chmod -R)
- easy to upgrade/downgrade
- easy to verify that the package was installed correctly
- easy to check which files were changed (rpm -V packagename)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anybody got opinions on the opposite situation?
I've always upgraded splunk using a tarball and extracted over top the prior /opt/splunk installation: ~6 upgrades.
Now I'd like to switch to RPM, for all the stated advantages. Any issues I need to worry about by installing the RPM over a prior tarball install?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. This is a quite old thread. You'd be better off by starting a new one (possibly putting link to this one for reference).
2. Generally speaking, as a good practice:
- don't mix management with package manager with manually dropping in files. It can end badly.
- If you have a package for your system it's often (although not always; there are sometimes very badly built packages) a better solution
I'm not sure about Splunk but depending on how/where you installed your software before, the RPM might not fit exactly that layout.
So while you can try to install RPM package over a tarball-based /opt/splunk, I think I'd try to go for backup/remove/install/restore.
Oh, and don't try to mess with your production server without testing it in dev environment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @PavelP
Thank you so much for picking this up...
Here is some info
what are your reasons to switch from rpm to tgz? - we are more familiar with tar and up gradation was successful in test environment.
But, rpm -qa is listing old(you clarified that above) and no other particular reason apart.
OK, I understand the difference now. Can you please suggest on below.
- Since we have successfully upgraded using tar, are we good to go same at prod? If Yes,
- How to delete that rpm package from rpm DB.
And does this affect bootstart init script, suppose OS restarts and things may seem to be inconsistent after reboot.
Or let downgrade Splunk and upgrade it again in test using rpm, if everything goes fine then proceed to prod with rpm?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @PramodhKumar
you can use
rpm -e --justdb splunk
I've updated the answer, please accept it if it resolve your query
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
