Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

config of splunk lost after upgrade to 5.0

dominiquevocat
SplunkTrust
SplunkTrust
‎10-30-2012 07:51 AM

I upgraded our preproduction splunk from 4.3 to 5.0

Alas while all files are still there as good as i can tell there seems to not have been any migration as all configuration settings are lost.

How can i initiate a migration of the 4.3 stuff? (apps, inputs, ldap configuration, roles, rolemapping to ldap groups yadda yadda)

ok, some progress... i now have merged it with enough success for it to dump

update: after merging manually the /$splunkhome/splunk/etc i get this
"
Last few lines of stderr (may contain info on assertion failure, but also could be old): 2012-10-30 16:44:03.553 +0100 Interrupt signal received 2012-10-30 16:47:07.343 +0100 splunkd started (build 140868) terminate called after throwing an instance of 'PluginException' what(): Indexer failed to start, will not continue. 2012-10-30 16:48:22.377 +0100 splunkd started (build 140868) terminate called after throwing an instance of 'PluginException' what(): Indexer failed to start, will not continue. 2012-10-30 16:49:30.096 +0100 splunkd started (build 140868) terminate called after throwing an instance of 'PluginException' what(): Indexer failed to start, will not continue. 2012-10-30 16:53:58.876 +0100 splunkd started (build 140868) terminate called after throwing an instance of 'PluginException' what(): Indexer failed to start, will not continue.
"

I disabled on CLI the apps that caused warnings on starting splunk service but it must be somewhere else... 😕

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MHibbin
Influencer
‎10-30-2012 08:30 AM

Hi,

Assuming nothing has changed dramatically, which I doubt it has:

  • Make a back-up of the configuration file directory (i.e. $SPLUNK_HOME/etc)
  • Copy this etc directory to the new installation
  • Restart Splunk

Hope this helps

View solution in original post

Reply
Solved! Jump to solution

amrit
Splunk Employee
Splunk Employee
‎10-30-2012 10:45 AM

That's very strange. A few questions:

  • Which OS?
  • Which package type (.rpm, .tgz, etc)?
  • What was the exact upgrade steps you took (how uninstalled, how installed, etc.)?

The migration trigger is a file, named "ftr", that lives in the root of your Splunk installation. This file is present at install/upgrade time, and is deleted by a successful migration. However, if migration somehow managed to be skipped, usually your configuration would still be in good shape...

Also, take a look earlier in splunkd.log, before the PluginException messages that you pasted above. There should be WARN or ERROR messages from IndexProcessor indicating why it failed to come up.

Reply
Solved! Jump to solution

dominiquevocat
SplunkTrust
SplunkTrust
‎10-31-2012 01:26 AM

yep i had two warns for extractions in a app each. Which i disabled then on CLI however there was never an attempt to migrate which explaines a lot i guess. The upgrade info online seems to be woefully underspecific. It is however the first time i have trouble updating (all the 4.x point releases were smooth sailing)

we use SLES 10 on x64 and i used the rpm to upgrade.
(2.6.32.59-0.3-default #1 SMP 2012-04-27 11:14:44 +0200 x86_64 x86_64 x86_64 GNU/Linux )

0 Karma
Reply
Solved! Jump to solution
Solution

MHibbin
Influencer
‎10-30-2012 08:30 AM

Hi,

Assuming nothing has changed dramatically, which I doubt it has:

  • Make a back-up of the configuration file directory (i.e. $SPLUNK_HOME/etc)
  • Copy this etc directory to the new installation
  • Restart Splunk

Hope this helps

Reply
Solved! Jump to solution

dominiquevocat
SplunkTrust
SplunkTrust
‎10-30-2012 08:41 AM

um, did try - not so much luck yet. but thanks, maybe someone else has a step more at hand?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...