Splunk Enterprise

How to deal with unattended universal forwarder upgrade ?

New Member

Hi, I'm in the middle of testing deployment of the UF for a new setup and I started with 9.0.1, deploying it with ansible from a local yum repository as the initial push. (that' s the gist of it, bit more complex infrastructure behind it but not really relevant)

But now 9.1.1 came out which was pointed out to me due to a security alert so I updated the package on our repository, hit 'yum update'  on one of my test servers, and this broke the UF.

Apparently it needs to be started manually once with '--accept-license --answer-yes --no-prompt'  to complete the upgrade and accept the license .. again .. ?

Is there a clever way of dealing with this so it just works after upgrading the rpm ? Short of modifying the rpm's spec file so it does some starting and stopping while the rpm is being upgraded.

Manually doing this in case there happens to be an update is just not an option due to the number of hosts, our regular updates run unattended with basically just a 'yum/dnf update -y'

Modifying the systemd file so it just starts with the required parameters does not appear be working with the '_internal_launch_under_systemd' , replacing that with the old 'start etc' makes the UF not work with systemd anymore.
RHEL9 is going to forego the init.d folder I think so using older more flexible sysV scripts is not an option either.

Any sort of manual intervention when there happens to be a new version is highly undesirable.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...