Upgrade Splunk ESCU on Search head clsuter members

vikas_gopal · ‎05-21-2024

Hi Experts ,

Someone has installed ESCU app directly on the Search head members . Now I am upgrading this app to a newer release .

Question :- Since this app was not installed from the deployer but I want to upgrade it via deployer what is the best practice and method to achieve this

Here is my plan , please correct me if I am thinking wrong

Step 1) First I will copy the installed folder from one of the SHC member to deployer under /etc/app so that it install itself on the deployer and then I can manually upgrade it using deployer GUI

Step2) Once upgraded , I will copy upgraded app from /etc/apps folder to /etc/shcluster/apps folder

Step3) run apply shcluster-bundle on the deployer to push the upgraded app to SHC members .

Do you think above is the right approach ? if not what else I can do

gcusello · ‎05-22-2024

Hi @vikas_gopal ,

only one detail:

for my knowledge, the only app that requires to be installed on the SHC-Deployer is Splunk Enterprise Security,

all the other apps (so also ESCU) don't require to be installed in the SHC-Deployer, you can only copy and untar them in the $SPLUNK_HOME/etc/shcluster folder and then push them to the SHC memebers.

In genetal, avoid to install an app directly on a SH member.

Ciao.

Giuseppe

tej57 · ‎05-21-2024

Hello @vikas_gopal,

Yes, the steps you have mentioned seems to be the appropriate to continue managing the app from SHC Deployer in future.

Thanks,
Tejas.

Upgrade Splunk ESCU on Search head clsuter members

upgrade

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?