Deployment Architecture

How to update TA via Deployment Server?

daisy
Explorer

Hi all, from the available documentation, I am not getting how to practically update TA via Deplyoment server (i.e. distribute a newer version to the UFs via DS). If it matters, it is about the Add-On for Linux and Unix. I would imagine that it looks like this:

1) get the TA on the Deployment Server via GUI - go to  "install app from file" -> upload the downloaded .tgz file from splunkbase -> restart Splunk

2) Backup the used TA (older version)

3) Copy the TA (newer version) from the App folder into the deployment-apps folder (via cp -R)

4) Redeploy Deployment Server via  splunk reload deploy-server

5) Check if data is still being obnoarded properly

Am I missing anything? Is this approach valid? 

Labels (2)
0 Karma
1 Solution

gcusello
Legend

Hi @daisy,

No, you process isn't correct: if you load a TA from GUI, you install it on the Deployment Server, you cannot deploy it.

As you can read at https://docs.splunk.com/Documentation/Splunk/8.2.5/Updating/Aboutdeploymentserver the steps are:

  • copy (via SSH) the TA on the DS,
  • move (via SSH) the TA at $SPLUNK_HOME/etc/deployment-apps
  • untar (via SSH) the TA twice, to have the uncompressed folver,
  • remove (via SSH) the compressed files,
  • if you need to customize some conf file (e.g. to enable some disabled input), copy the conf file to modify from default to local folder and modify it by CLI,
  • Create or modify a ServerClass via GUI,
  • force the deploy via CLI using the command "splunk reaload deploy-server" or wait for the normal update.

Please avoid comments because I agree that's a very complicated way to manage deployment, I asked (in Splunk Ideas) to manage this process via GUI, but no answers, I continue to hope!

Ciao.

Giuseppe

View solution in original post

0 Karma

daisy
Explorer

Hi @gcusello - thank you very much. I have indeed used WinScp as well as MobaXTerm. But I am lacking the practical experience of updating TAs so I was wondering what the best way would be. Thank you, very much - you answered all my questions.

0 Karma

gcusello
Legend

Hi @daisy,

No, you process isn't correct: if you load a TA from GUI, you install it on the Deployment Server, you cannot deploy it.

As you can read at https://docs.splunk.com/Documentation/Splunk/8.2.5/Updating/Aboutdeploymentserver the steps are:

  • copy (via SSH) the TA on the DS,
  • move (via SSH) the TA at $SPLUNK_HOME/etc/deployment-apps
  • untar (via SSH) the TA twice, to have the uncompressed folver,
  • remove (via SSH) the compressed files,
  • if you need to customize some conf file (e.g. to enable some disabled input), copy the conf file to modify from default to local folder and modify it by CLI,
  • Create or modify a ServerClass via GUI,
  • force the deploy via CLI using the command "splunk reaload deploy-server" or wait for the normal update.

Please avoid comments because I agree that's a very complicated way to manage deployment, I asked (in Splunk Ideas) to manage this process via GUI, but no answers, I continue to hope!

Ciao.

Giuseppe

0 Karma

daisy
Explorer

Hi @gcusello thanks for the quick reply. I have some additional questions:

1) How do you get the TA on DS - do you download it on your laptop and then move via SSH?

2) Why do you need to untar the TA twice? via tar- xvzf should be sufficient to use the tar command once. Or do you mean to get from .tar.tgz the fully uncompressed folder?

3) Why do I need to modify the ServerClass via GUI? The TA name would stay the same so it should already be available. Or am I missing somethign here?

4) When untarring the TA, the local folder should be left untouched, right? As there should be custom configurations and I am afraid to lose these. Thus, I wrote that I would take backup before untarring, is this needed at all?

Thank you very much!

0 Karma

gcusello
Legend

Hi @daisy,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
Legend

Hi @daisy,

1) yes, to do this I use MobaXTerm, but you can also use WinSCP, as you like.

2) yes correct, I usually use two times the tar command but it's the same.

3) if you are deploying a new TA, you have to associate the new TA to a ServerClass, if instead you are modifying an already present TA, you don't need to update ServerClass.

4) if you take a TA from Splunk baseline, usually local folder isn't present, but you can check if there's something in the local folder of the new TA version.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...