Splunk Search

Do splunk upgrades ever remove any files?

gabriel_vasseur
Contributor

The upgrade process on linux is basically to unpack the tgz file over the existing splunk home directory.

I understand that will add any new file where they need to be, update any file that needs updating, but what about the files that are no longer needed after the upgrade? Are they ever removed or do we just accumulate rubbish over the years?

Tags (1)
1 Solution

wmyersas
Builder

If you update/upgrade in situ The Right Way™, no - [almost] nothing "old" is ever removed: all you're ever doing is unpacking new files overtop of old ones and/or adding new files.

However, the volume of "rubbish" you accumulate "over the years" is pretty darn tiny - maybe on the order of a couple megs every time you update.

If you want to avoid even those few megs of accumulating "junk files", you can always use something like Ansible to deploy new Splunk hosts at the current rev as new installs, add them into your environment (all those pass4symkey entries, etc), then decommision old hosts, then update to the next rev.

That would ensure you're never holding more than one version's "rubbish" on your hosts

View solution in original post

wmyersas
Builder

If you update/upgrade in situ The Right Way™, no - [almost] nothing "old" is ever removed: all you're ever doing is unpacking new files overtop of old ones and/or adding new files.

However, the volume of "rubbish" you accumulate "over the years" is pretty darn tiny - maybe on the order of a couple megs every time you update.

If you want to avoid even those few megs of accumulating "junk files", you can always use something like Ansible to deploy new Splunk hosts at the current rev as new installs, add them into your environment (all those pass4symkey entries, etc), then decommision old hosts, then update to the next rev.

That would ensure you're never holding more than one version's "rubbish" on your hosts

gabriel_vasseur
Contributor

Thanks. Maybe things are not too bad for splunk core.

Have you ever used Enterprise Security? It has a health check feature that reveals a LOT of "unshipped" files, and a significant portion of these really do not look like anything the team could ever have created themselves. So I believe they are accumulated junk, except I don't feel confident removing them.

0 Karma

wmyersas
Builder

The same basic principles apply for all things Splunk that I've yet seen (apps, add-ons, Core, etc) - other than maybe UBA: files get overwritten, but rarely get removed

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...