Getting Data In

Lightweigth forwarder upgrade

cafissimo
Communicator

Hello, I am going to upgrade splunk light forwarder to splunk universal forwarder. In the splunk documentation I'have found some steps to follow. In particular I should (as written in "http://www.splunk.com/base/Documentation/latest/Deploy/Migrateanixforwarder") as mentioned at step 3: "3. In the universal forwarder's installation directory, $SPLUNK_HOME, create a file named old_splunk.seed; in other words: $SPLUNK_HOME/old_splunk.seed. This file must contain a single line, consisting of the path of the old forwarder's $SPLUNK_HOME directory. For example: /opt/splunk. " Does it mean that the universal forwarder has to be installed in a different directory than /opt/splunk if the light forwarder is installed in /opt/splunk? Thanks and kind regards, Luca Caldiero, Consoft Sistemi S.p.A.

0 Karma
1 Solution

Steve_G_
Splunk Employee
Splunk Employee

You cannot actually upgrade from the light forwarder to the universal forwarder, but you can migrate your light forwarder settings to the universal forwarder. This is an important distinction.

Unlike the light forwarder, the universal forwarder is an entirely separate download and executable from full Splunk. Do not install it over an existing installation of full Splunk (including light forwarder or heavy forwarder).

View solution in original post

0 Karma

Steve_G_
Splunk Employee
Splunk Employee

You cannot actually upgrade from the light forwarder to the universal forwarder, but you can migrate your light forwarder settings to the universal forwarder. This is an important distinction.

Unlike the light forwarder, the universal forwarder is an entirely separate download and executable from full Splunk. Do not install it over an existing installation of full Splunk (including light forwarder or heavy forwarder).

0 Karma

Branden
Builder

Yes, you should install the Universal Forwarder in a different directory than the SplunkLightForwarder.

The instructions confused me at first too. I always installed the SplunkLightForwarder in /splunk, but then I noticed that the UniversalForwarder tarball extracts to /splunkforwarder, so that's where I installed it. (That's how it worked on AIX anyway.) Worked great.

Hope that helps!

Get Updates on the Splunk Community!

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...