Installation

Upgrading a Splunk Heavy Forwarder

KayBeesKnees83
Path Finder

Greetings,

I am in the preliminary stages of upgrading my Splunk Heavy Forwarder (HF), however, I wanted to confirm which file to install. I know that the HF requires a Splunk Enterprise License opposed to the Universal Forwarder (UF) that doesn't require a Splunk Enterprise License. Therefore, when it comes to installing and upgrading a Heavy Forwarder, do I install the Splunk Forwarder License, the Splunk Enterprise License, or both? 

Thank you in advance for your time.

-KB 

Labels (2)
Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

as you are updating splunk, there is no need to add any license, just use your current configuration. In distributed environments I prefer to use the same LM as for other nodes. 
r. Ismo

0 Karma

KayBeesKnees83
Path Finder

Thank you for your reply. My apologies for the inconvenience and confusion. I was referring to the file of Splunk that you download from the landing page. When you install Splunk on Linux  you have an option to download Splunk Enterprise or Splunk Forwarder file (tgz, deb, or rpm). I was wondering which file an Administrator would use (Splunk Enterprise File or the Splunk Forwarder file) to upgrade your Heavy Forwarder to the latest version of Splunk. I know the Splunk forwarder file is used for installation of an Universal Forwarder (UF) and I wanted to know if that is applicable for the HF as well or just the Splunk Enterprise file. Sorry for the confusion with using the term “License”.

isoutamo
SplunkTrust
SplunkTrust

You should use that version which you are normally using. That means rpm for red hat based, dep for Debian based or tgz for all Linux, if you are not preferring the use of package manager. 

If you needs some additional data management on client side then you need HF (full enterprise). That means using e.g. transforms.conf or python are needed. As I earlier said, I prefer to use same license manager for those than to another nodes. To define that it’s a HF, just configure that it forward everything to indexers.

In all other cases you should install UF to source systems.

r. Ismo

inventsekar
SplunkTrust
SplunkTrust

Hi @KayBeesKnees83 .. 

on the downloads page:

https://www.splunk.com/en_us/download/splunk-enterprise.html

you have options to choose Windows OR Linux OR Mac OS:

Under Linux tab, we have .rpm / .deb / .tgz

The Installation Procedure:

  1. Expand the tar file into an appropriate directory using the tar command:
    tar xvzf splunk_package_name.tgz

    The default installation directory is splunk in the current working directory. To install into /opt/splunk, use the following command:

    tar xvzf splunk_package_name.tgz -C /opt

https://docs.splunk.com/Documentation/Splunk/8.2.4/Installation/InstallonLinux

 

once you installed the HF, then, you can install 

- Enterprise Trial License (testing it before buying)

- Enterprise License (once you bought you will get this license)

- Free License (for test/dev/lab setups, free license)

Hope you got some good understanding now, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

SinghK
Builder

It will be splunk enterprise. And you have the option to use forwarder license on a heavy forwarder. When you click on licensing you will see that option and hence you don't need to connect hf to a lm.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...