Thank you!!! ... View more

I got it thank you so much! My issue was that I was unpacking the file while Splunk was running. So the steps to use your solution were: Stop running Splunk instance Unpack the file via    tar xvf splunkclouduf.spl -C $SPLUNK_HOME/etc/apps​   Start Splunk again ... View more

Ah I think that's what it was. I can see that there is a difference between the two outputs (pre / post update).  ... View more

That's kinda what I wanted to assume to. According to Splunk, the following query is what tells me if the app is successfully installed: index=_internal source=*metrics.log group=tcpout_connections name=splunkcloud* | stats latest(_time) AS _time latest(name) AS name by host | rex field=name "(?<output_group>.+?)\:" | eval fwd_config=if(output_group="splunkcloud","legacy","new") | stats count by _time host output_group fwd_config | reltime | fields _time reltime host output_group fwd_config | sort 0 fwd_config If that 'fwd_config' field says 'new', it was successful. Instances that need the update are marked 'legacy'. When I try to unpack manually and restart Splunk; it still shows up as 'legacy' afterward. When i do the update via their process, it is marked as 'new'. Thank you for the help by the way, you have been amazing thus far ... View more

I gave that a shot but it doesn't look like Splunk was able to detect the updated package : /   I suspect that it's something to do with the metadata that doesn't get generated when I extract the data.  ... View more

I was able to run the update on one of the machines and inspected the location  /opt/splunkforwarder/etc/apps/ It seems like some metadata is generated there that includes the checksum. I don't suppose you know if that's generated by Splunk's install process?  ... View more

We received a notice from Splunk to perform this update prior to 7/15. We don't have our Splunk configured the way the guide suggests; instead we utilize an automated process to create / install Splunk on EC2 instances. Given this, we have over 100 forwarders to update.    Key takeaway, it doesn't seem feasible to perfrom this update by running the installation command on every instance. I wanted to know what it does so that we could incorporate the steps into our automated workflow so that 'future' forwarders that are created have the required update.  ... View more