Re: Upgrading from 8 to 9 (UF question)

jsalsbur · ‎07-05-2022

Good afternoon,

I am upgrading from Splunk 8 to 9. And I have a hodgepodge of UFs that are all over the place in versioning. From 6.x all the way to 8.

I know you cannot multiple version upgrade, I will need to go 6 to 7 to 8 to 9.

My question is this. Are there specific versions that I cannot upgrade from? For instance, does a 6.x need to be upgraded to a specific version of 7 then a specific version of 8 or will any version in the line of upgrades work?

I have tried to do some searching but I am not finding the answer to my specific question. Which makes me think the upgrade version, as long as it is in order doesn't matter but I need to make sure because we have several hundred to do.

Thanks

skramp · ‎08-21-2022

Make sure,

- your combination OS and UFW will match

- there are all apps working with the newer version

- you don’t have copied apps manually on UFWs (but eventually a deploymentclient-app). If you do the Deinstallation they could be erased.

You also have to update HFs? Keep in mind the python version change!

jsalsbur · ‎08-21-2022

That makes me wonder if you could uninstall an older version manually for instance version 6 and then install version 9 if that would work? That could be scripted I imagine?

PickleRick · ‎08-22-2022

In general - with the "proper" setup of UFs managed by DS, your configuration should get pushed from the DS so removing an old forwarder and installing a new one should work perfectly well.

If you maintain your configs manually, you'd have to manually move the config from the old instance to the new one (which could be tricky if you rely on some default values which could have changed between versions).

There is one caveat thought to both cases - when you remove old UF installation you'd most probably remove the fishbucket and any other form of state save as well so with a new UF installation you'd be reingesting old monitored files, windows event logs and so on from scratch.

isoutamo · ‎08-22-2022

Hi

as @PickleRick said you can do remove and install a new version and in this case you can go directly from 5.x to 9.x as basically this is a new installation not upgrade. But in this case you will loose the fishbucket db which means that UF don't know what files and in which exact place your UF is going on those files. And this means that you will be reindexing all data again what you have on those nodes online!

If/When you want to avoid this, then you must go real update with step by step 6.5 -> 7.x ->.... -> 9.x and always start those UF services before install then next version. When you are starting UF then it do the need conversion for fishbucket etc.

Update <=> e.g. yum update splunkforwarder.xxx.rpm

remove + install <=> e.g. yum remove splunkforwarder (+ rm -fr /opt/splunkforwarder) + yum install splunkforwarder.xxxx.rpm

r. Ismo

Stefanie · ‎07-07-2022

I don't believe there is a specific documentation for the upgrade path for UFs. But UFs are a watered-down version of Splunk Enterprise...

For full Splunk server installations there is a specific upgrade path.

Generally it is version 6.5.x to 7.2.x to 8.0.x to 8.2.x to 9.0.x.

https://docs.splunk.com/Documentation/Splunk/8.2.0/Installation/HowtoupgradeSplunk

My question is this. Are there specific versions that I cannot upgrade from? For instance, does a 6.x need to be upgraded to a specific version of 7 then a specific version of 8 or will any version in the line of upgrades work?

So to clarify, yes there are specific versions you have to upgrade to. For the example of 7.2.x it can be ANY version of 7.2.x (7.2.3, 7.2.4, 7.2.5, etc).

Hope this helps

Upgrading from 8 to 9 (UF question)- Are there specific versions I cannot upgrade from?

upgrade

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM