Upgrader App for Splunk: Effortlessly Upgrade Your Splunk Instance
Upgrading on-premise Linux Splunk Enterprise instances has historically been a complex and challenging task, but the new Upgrader App for Splunk (UA4S) app is designed to change that. In this review, we’ll take a closer look at how this app simplifies the upgrade process and makes this task accessible for anyone, even those without extensive technical expertise.
First Impressions
Firstly, this app is fairly new and published by Splunk Works. It is not supported and should be viewed more as an early beta. It is highly recommended that you read the Installation and User Guide in full, including the troubleshooting section.
From the get-go, the app impresses with its straightforward installation and setup process. It’s designed to upgrade on-premise Splunk Enterprise instances, but does not currently support clustered indexer or search head cluster environments – clustering support is to be included in a future update.
Pre-requisites: Preparing for the Upgrade
One of the key features is its emphasis on preparation. The app underscores the importance of starting any upgrade with a comprehensive backup. Then following best practice, dictates that the upgrade be performed in the following order:
- Upgrade supporting servers:
- Deployment Server
- License Manager
- Heavy Forwarders
- Monitoring Console
- Upgrade the Search Heads
- Upgrade the Indexers
Installation Process: Step-by-Step Guide
The installation requires the following:
- The main Search Head (SH), where the UA4S app GUI will be used, should have every server to be upgraded added a search peer to this SH. A monitoring console SH typically has this peering in place already. However, you may also wish to spin up a completely separate standalone SH to perform these upgrades.
- The UA4S app must be deployed to every peer that is to be upgraded. If you already have a Deployment Server (DS) up and running for these peers, then the DS should be used to deploy the UA4S app to each one using standard serverclass methods.
1. Install the App
The first step would be to download the Upgrader App for Splunk (UA4S) from Splunkbase. Following this, the app should be installed on the SH that you will be initializing and managing the upgrades from – for example, your monitoring console SH or even a standalone SH. We will refer to this as the main instance.
2. Download the new Splunk version
Once installed, download the new version of Splunk that you wish to upgrade to. The installation package must be in .tgz format. This tgz file should then be added to $SPLUNK_HOME/etc/apps/splunkupgrader/bin
on the main instance server where the UA4S app was installed.
3. Set a common password
In the UA4S app, navigate to the setup page. Here you will need to set up a password. This password is encrypted on disk. This part is important as it allows you to connect remotely and without firstly setting this password, you will get errors and fail to perform any necessary actions.
4. Check all search peers are listed
The Search Peers button from the setup page directs you to the search peer page under the distributed search setup. You should validate that all servers needing upgrades are listed. If a server is missing, you click on the New Search Peer button here to add it.
5. Navigate to the upgrader page
In the UA4S app, navigate to the Upgrader page. This is essentially the central command centre where you will backup, upgrade, restore and restart the individual servers.
6. Backup the splunk servers being upgraded
Clicking on the Backup button alongside each peer will perform a backup of Splunk and place it in the $SPLUNK_HOME
directory, typically /opt/splunk
of the peer. This step is required to restore the previous version should you wish to roll back the upgrade. It also includes the kvstore and kvstorebackup directories, though it excludes files from the var
directory, meaning index data directories should be backed up separately if necessary.
7. Deploy the UA4S app to the Splunk servers being upgraded
On the Upgrader page there is a Deploy button next to each server that is to be upgraded. This essentially deploys the UA4s app out to each server by setting up the main instance as a deployment server. It is useful when there is no other deployment server set up within your environment, but this is rarely the case. If you already have a deployment server within your environment, then this should be used to push the UA4S app to each server being upgraded. Copy the configured UA4S app (splunkupgrader
) from the $SPLUNK_HOME/etc/apps/splunkupgrader
directory on the main instance to the /deployment-apps
directory of your Deployment Server. Once this is performed, create an appropriate serverclass to deploy the app out to the Splunk servers that are to be upgraded with the restart flag checked, such that they restart after the app is deployed. Once this is done, return to the UA4S app GUI on the main instance.
8. Upgrade your Splunk servers
With the app now deployed, you are ready to start the upgrade process. Click on the upgrade button next to the server to be upgraded and the upgrade will be performed using the version (i.e. the tgz file) that was placed in the UA4S app before being deployed to the Splunk servers. Post-upgrade, you will receive a success message and a prompt to restart the server.
9. Restart the Splunk server
Post-upgrade, you can use the restart button to restart the server directly from the app.
Other functions
Restore Button
In case a restore is necessary, the restore button provides a seamless way to revert to the backup. The app replaces kvstore from the backup files following the process shown in log block and messages block. For this restore to work correctly, the previous backup step must have been completed. When the restore process is complete you will receive a message to restart the server again.
Logs Page: Keeping Track
The logs page aggregate all dashboard panels together into a single place hence provides a helpful view of the logs page. The search magnifying glass icon enables you to pull searches into Splunk search for more troubleshooting or further investigation purposes.
Final Thoughts
To summarize, the new app has the potential to simplify Splunk Enterprise upgrades going forward, once the initial process is set up. While the current release is limited to non-clustered environments, there are future plans for this to work with clustered indexers and search heads. The app’s user-friendly design, comprehensive backup and restore functionalities, and detailed logs give it the potential to make it an great tool for anyone looking to upgrade their Splunk instances with less manual effort.
Stay tuned for future updates and enhancements in future which may broaden its range even further. Enjoy your upgrading!
Looking to expedite your success with Splunk? Click here to view our Professional Service offerings.
© Discovered Intelligence Inc., 2024. Unauthorized use and/or duplication of this material without express and written permission from this site’s owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Discovered Intelligence, with appropriate and specific direction (i.e. a linked URL) to this original content.