All Apps and Add-ons

Cleanest Way of Updating Splunk Search Head Addon/Apps without Losing Local Changes and Configurations

NightShark
Path Finder

When upgrading apps/add-ons in a distributed environment, is there a recommended best practice or is it similar to deploying the app initially where I can just paste the newer downloaded version from Splunkbase over the existing app and then push the new bundle to the peers to fully update the app? ex. having version 1 and 2 in the same shcluster/apps directory, will the latest version take priority over the older while also benefitting from the configurations made in the previous version?

Search Head Local changes to not appear to be visible in the deployer server, so do I have to also include the local directory of the related app from the search heads and include it inside the newly updated app before pushing through deployer? 

PS: App I am trying to update is ES Content Update

Or maybe there is a spesific push command to preserve local changes?

Any and all help is welcome, thanks in advance!

0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

You should read apps' README / INSTALL etc. documentation to check if there are any special comments/instructions to you. In general case you should just update app via Deployer to SHC. Just untar that package over previous version into .../etc/shcluster/apps/<app name>. Of course if you have done your own changes here over default instead of local directory then you must manually merge those changes to the new version, otherwise you will lost (at least partially) your current changes. If users have done local modifications directly to SHC nodes then it depends on your push mode what will happen. In normal case those will be there after update. You should read more from here https://docs.splunk.com/Documentation/Splunk/8.2.4/DistSearch/PropagateSHCconfigurationchanges#Choos...

r. Ismo

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

You should read apps' README / INSTALL etc. documentation to check if there are any special comments/instructions to you. In general case you should just update app via Deployer to SHC. Just untar that package over previous version into .../etc/shcluster/apps/<app name>. Of course if you have done your own changes here over default instead of local directory then you must manually merge those changes to the new version, otherwise you will lost (at least partially) your current changes. If users have done local modifications directly to SHC nodes then it depends on your push mode what will happen. In normal case those will be there after update. You should read more from here https://docs.splunk.com/Documentation/Splunk/8.2.4/DistSearch/PropagateSHCconfigurationchanges#Choos...

r. Ismo

NightShark
Path Finder

That is my only method of updating the apps in the SHC in order to keep equilibrium throughout the enviroment is using a deployer.

My push mode is usually as follows:

splunk apply shcluster-bundle -target https://SH_I :8089

Which I assume is the default "merge to default" mode that does not interfere with any of the local changes made and or configurations made on every individual search head node correct?

Thank you very much for your response,

0 Karma

isoutamo
SplunkTrust
SplunkTrust
That’s correct
0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...