Solved: Re: Upgrading the universal forwarder from 32bit t...

mihelic · ‎05-13-2013

Hi!

We have upgraded the central loghost from 32 to 64bit (RPM based). The universal forwarder was just copied from the old onto the new server and is still the 32bit version. We would like to upgrade the UFW to the 64bit version.

Installing a fresh version from scratch would result in resending the already sent files thus duplicating them on the indexer.

Do we just overwrite the 32bit install with a 64bit RPM and that's that?

Regards,
Mitja

yannK · ‎05-13-2013

You just want the same configuration,

1 - backup the $SPLUNK_HOME/etc/ folder
2 - remove the old
3 - install the new one (same version)
4 - copy back the etc folder to replace
5 - start splunk

Beware : but the fishbucket index that contains the list of the files already monitored will be reset and the forwarder may reindexed some files. To avoid that you can move the files you do not want out of the monitored folders (or rotate them if you blacklisted the rotated versions)

View solution in original post

mihelic · ‎05-15-2013

Thanks to yannK for the advice on how to procced and kristian.kolb for the additional links to the docs.

First I had a go at it on a test version with only one logfile.

I followed yannK's advice, but I also left the $SPLUNK_HOME/var folder in place along with $SPLUNK_HOME/etc.

Here's what I did in the end:

1 - backup the $SPLUNK_HOME/etc/ folder
2 - backup the $SPLUNK_HOME/var/ folder
3 - remove the old 32bit installation
4 - install the new one (same version but 64bit)
5 - copy back the etc folder to replace
6 - copy back the var folder to replace
7 - start splunk

Then I used the same procedure on our production environment.
As far I can see, there are no problems or errors. And no duplicates on the indexer that I can find.

I would conclude that the databases from the 32bit version seem work on the 64bit version. The universal forwarder neatly reports that it started reading files at their respective offsets upon its startup.

aafogles · ‎05-22-2014

Looks like to some extent, different releases don't have an issue with this procedure. I've done this while upgrading from 5.0.2 to 5.0.4 (32bit only) for .tgz based installation without any noticeable issue.

yannK · ‎05-13-2013

You just want the same configuration,

1 - backup the $SPLUNK_HOME/etc/ folder
2 - remove the old
3 - install the new one (same version)
4 - copy back the etc folder to replace
5 - start splunk

Beware : but the fishbucket index that contains the list of the files already monitored will be reset and the forwarder may reindexed some files. To avoid that you can move the files you do not want out of the monitored folders (or rotate them if you blacklisted the rotated versions)

yannK · ‎05-14-2013

I never tried to see if a 32bit fishbucket can be kept witha 64bit splunk. I suppose it can work.

mihelic · ‎05-14-2013

I was really hoping to to keep the fishbucket so the files would not get reindexed. If there's a way of saving it, I'd be very much interested in it.

kristian_kolb · ‎05-13-2013

so the fishbucket will differ between 32 and 64 bit systems?

kristian_kolb · ‎05-13-2013

Haven't really done that, but the docs don't say it shouldn't be done. See the second link especially.

http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Upgradethenixuniversalforwarder
http://wiki.splunk.com/Deploy:Migrating_a_Splunk_Install

/k

Upgrading the universal forwarder from 32bit to 64bit

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?