Splunk Enterprise Security

How to upgrade add-ons on Indexers and Forwarders after Splunk ES upgrade ?

Builder

After upgrading ES search head, what is the recommended way to upgrade add-ons on Indexers and forwarders ?

Based on the docs and current Splunk environment, it seems the ideal option is to use Create and set up automatic deployment of the Splunk_TA_ForIndexers method, however the doc says, Before you deploy Splunk_TA_ForIndexers, make sure that existing add-ons installed on indexers are not included in the Splunk_TA_ForIndexers package. Deploying the same add-on twice might lead to configuration conflicts, especially if the add-ons are different versions.

I dont get this part. If I am using the SplunkTAForIndexers to upgrade addons on Indexers, obviously the add-ons are going to be different versions.

Can someone please advise what I am missing here ?

0 Karma

SplunkTrust
SplunkTrust

Hi,

Splunk_TA_ForIndexers contains Indexer related props.conf and transforms.conf settings from installed Apps/Add-ons on ES search head.

For example: If you are running SplunkTAwindows version 5 on Indexer and ES Search head running SplunkTAwindows version 6 then Splunk_TA_ForIndexers contain indexer related settings in props.conf and transforms.conf for Windows add-on version 6 & when you'll install Splunk_TA_ForIndexers on Indexer it has conflict of same configuration and config which will take effect that is depend on precedence order so your data may not parse properly on Indexers.

0 Karma

Builder

so clearly it seems SplunkTAForIndexers add-on should not be used for upgrading add-ons on Indexers and Forwarders.

Should SplunkTAForIndexers only be used for fresh installation on Indexers and NOT for upgrades?

The only and best way is to manually download corresponding versions of addons from Splunkbase and install it on Indexers and Forwarders ?

0 Karma

SplunkTrust
SplunkTrust

SplunkTAForIndexers contains indexes.conf as well, if you do not want to use SplunkTAForIndexers on Indexers then you need to maintain all ES indexes in your dedicated app on Indexers & maintain/upgrade rest of the Add-on based on your requirement on Indexers.

My preference is if you are installing Add-on separately on Indexers and you do not want to upgrade add-on on indexers then do not upgrade same add-on on ES SH. Also my advice is do not install add-on separately on Indexers and use SplunkTAForIndexers on Indexers (Only install Add-on on Indexer which are not installed on ES SH).

0 Karma

Builder

Sorry, but I dont think you have read my question clearly.

I want to use SplunkTAForIndexers to upgrade add-ons on indexers, however the doc says, Before you deploy SplunkTAForIndexers, make sure that existing add-ons installed on indexers are not included in the SplunkTAForIndexers package. Deploying the same add-on twice might lead to configuration conflicts, especially if the add-ons are different versions.

I dont get this part. If I am using the SplunkTAForIndexers to upgrade addons on Indexers, obviously the add-ons are going to be different versions.

0 Karma

SplunkTrust
SplunkTrust

I understood your question correctly, can you please let us know why different version of add-on will be there on Indexers ? If you are using SplunkTAForIndexers then you do not need to install add-on (which are included SplunkTAForIndexers) separately on Indexers.

0 Karma