Splunk Enterprise Security

How to upgrade add-ons on Indexers and Forwarders after Splunk ES upgrade ?

damode
Motivator

After upgrading ES search head, what is the recommended way to upgrade add-ons on Indexers and forwarders ?

Based on the docs and current Splunk environment, it seems the ideal option is to use Create and set up automatic deployment of the Splunk_TA_ForIndexers method, however the doc says, Before you deploy Splunk_TA_ForIndexers, make sure that existing add-ons installed on indexers are not included in the Splunk_TA_ForIndexers package. Deploying the same add-on twice might lead to configuration conflicts, especially if the add-ons are different versions.

I dont get this part. If I am using the Splunk_TA_ForIndexers to upgrade addons on Indexers, obviously the add-ons are going to be different versions.

Can someone please advise what I am missing here ?

0 Karma

harsmarvania57
Ultra Champion

Hi,

Splunk_TA_ForIndexers contains Indexer related props.conf and transforms.conf settings from installed Apps/Add-ons on ES search head.

For example: If you are running Splunk_TA_windows version 5 on Indexer and ES Search head running Splunk_TA_windows version 6 then Splunk_TA_ForIndexers contain indexer related settings in props.conf and transforms.conf for Windows add-on version 6 & when you'll install Splunk_TA_ForIndexers on Indexer it has conflict of same configuration and config which will take effect that is depend on precedence order so your data may not parse properly on Indexers.

0 Karma

damode
Motivator

so clearly it seems Splunk_TA_ForIndexers add-on should not be used for upgrading add-ons on Indexers and Forwarders.

Should Splunk_TA_ForIndexers only be used for fresh installation on Indexers and NOT for upgrades?

The only and best way is to manually download corresponding versions of addons from Splunkbase and install it on Indexers and Forwarders ?

0 Karma

harsmarvania57
Ultra Champion

Splunk_TA_ForIndexers contains indexes.conf as well, if you do not want to use Splunk_TA_ForIndexers on Indexers then you need to maintain all ES indexes in your dedicated app on Indexers & maintain/upgrade rest of the Add-on based on your requirement on Indexers.

My preference is if you are installing Add-on separately on Indexers and you do not want to upgrade add-on on indexers then do not upgrade same add-on on ES SH. Also my advice is do not install add-on separately on Indexers and use Splunk_TA_ForIndexers on Indexers (Only install Add-on on Indexer which are not installed on ES SH).

0 Karma

damode
Motivator

Sorry, but I dont think you have read my question clearly.

I want to use Splunk_TA_ForIndexers to upgrade add-ons on indexers, however the doc says, Before you deploy Splunk_TA_ForIndexers, make sure that existing add-ons installed on indexers are not included in the Splunk_TA_ForIndexers package. Deploying the same add-on twice might lead to configuration conflicts, especially if the add-ons are different versions.

I dont get this part. If I am using the Splunk_TA_ForIndexers to upgrade addons on Indexers, obviously the add-ons are going to be different versions.

0 Karma

harsmarvania57
Ultra Champion

I understood your question correctly, can you please let us know why different version of add-on will be there on Indexers ? If you are using Splunk_TA_ForIndexers then you do not need to install add-on (which are included Splunk_TA_ForIndexers) separately on Indexers.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...