Upgrader App for Splunk: Effortlessly Upgrade Your Splunk Instance

Upgrading on-premise Linux Splunk Enterprise instances has historically been a complex and challenging task, but the new Upgrader App for Splunk (UA4S) app is designed to change that. In this review, we’ll take a closer look at how this app simplifies the upgrade process and makes this task accessible for anyone, even those without extensive technical expertise.

First Impressions

Firstly, this app is fairly new and published by Splunk Works. It is not supported and should be viewed more as an early beta. It is highly recommended that you read the Installation and User Guide in full, including the troubleshooting section.

From the get-go, the app impresses with its straightforward installation and setup process. It’s designed to upgrade on-premise Splunk Enterprise instances, but does not currently support clustered indexer or search head cluster environments – clustering support is to be included in a future update.

Pre-requisites: Preparing for the Upgrade

One of the key features is its emphasis on preparation. The app underscores the importance of starting any upgrade with a comprehensive backup. Then following best practice, dictates that the upgrade be performed in the following order:

  1. Upgrade supporting servers:
    • Deployment Server
    • License Manager
    • Heavy Forwarders
    • Monitoring Console
  2. Upgrade the Search Heads
  3. Upgrade the Indexers

Installation Process: Step-by-Step Guide

The installation requires the following:

  • The main Search Head (SH), where the UA4S app GUI will be used, should have every server to be upgraded added a search peer to this SH. A monitoring console SH typically has this peering in place already. However, you may also wish to spin up a completely separate standalone SH to perform these upgrades.
  • The UA4S app must be deployed to every peer that is to be upgraded. If you already have a Deployment Server (DS) up and running for these peers, then the DS should be used to deploy the UA4S app to each one using standard serverclass methods.

1. Install the App 

The first step would be to download the Upgrader App for Splunk (UA4S) from Splunkbase. Following this, the app should be installed on the SH that you will be initializing and managing the upgrades from – for example, your monitoring console SH or even a standalone SH. We will refer to this as the main instance.

Upgrader App for Splunk Installation

2. Download the new Splunk version

Once installed, download the new version of Splunk that you wish to upgrade to. The installation package must be in .tgz format. This tgz file should then be added to $SPLUNK_HOME/etc/apps/splunkupgrader/bin on the main instance server where the UA4S app was installed.

download new splunk version

3. Set a common password

In the UA4S app, navigate to the setup page. Here you will need to set up a password. This password is encrypted on disk. This part is important as it allows you to connect remotely and without firstly setting this password, you will get errors and fail to perform any necessary actions.

set password

4. Check all search peers are listed

The Search Peers button from the setup page directs you to the search peer page under the distributed search setup. You should validate that all servers needing upgrades are listed. If a server is missing, you click on the New Search Peer button here to add it.

search peer button

5. Navigate to the upgrader page

In the UA4S app, navigate to the Upgrader page. This is essentially the central command centre where you will backup, upgrade, restore and restart the individual servers.

upgrader page

6. Backup the splunk servers being upgraded

Clicking on the Backup button alongside each peer will perform a backup of Splunk and place it in the $SPLUNK_HOME directory, typically /opt/splunk of the peer. This step is required to restore the previous version should you wish to roll back the upgrade. It also includes the kvstore and kvstorebackup directories, though it excludes files from the var directory, meaning index data directories should be backed up separately if necessary.

backup button
backup button kvstore

7. Deploy the UA4S app to the Splunk servers being upgraded

On the Upgrader page there is a Deploy button next to each server that is to be upgraded. This essentially deploys the UA4s app out to each server by setting up the main instance as a deployment server. It is useful when there is no other deployment server set up within your environment, but this is rarely the case. If you already have a deployment server within your environment, then this should be used to push the UA4S app to each server being upgraded. Copy the configured UA4S app (splunkupgrader) from the $SPLUNK_HOME/etc/apps/splunkupgrader directory on the main instance to the /deployment-apps directory of your Deployment Server. Once this is performed, create an appropriate serverclass to deploy the app out to the Splunk servers that are to be upgraded with the restart flag checked, such that they restart after the app is deployed. Once this is done, return to the UA4S app GUI on the main instance.

8. Upgrade your Splunk servers

With the app now deployed, you are ready to start the upgrade process. Click on the upgrade button next to the server to be upgraded and the upgrade will be performed using the version (i.e. the tgz file) that was placed in the UA4S app before being deployed to the Splunk servers.  Post-upgrade, you will receive a success message and a prompt to restart the server.

upgrade button

9. Restart the Splunk server

Post-upgrade, you can use the restart button to restart the server directly from the app.

Other functions

Restore Button

In case a restore is necessary, the restore button provides a seamless way to revert to the backup. The app replaces kvstore from the backup files following the process shown in log block and messages block. For this restore to work correctly, the previous backup step must have been completed. When the restore process is complete you will receive a message to restart the server again.

Logs Page: Keeping Track

The logs page aggregate all dashboard panels together into a single place hence provides a helpful view of the logs page. The search magnifying glass icon enables you to pull searches into Splunk search for more troubleshooting or further investigation purposes.

Final Thoughts

To summarize, the new app has the potential to simplify Splunk Enterprise upgrades going forward, once the initial process is set up. While the current release is limited to non-clustered environments, there are future plans for this to work with clustered indexers and search heads. The app’s user-friendly design, comprehensive backup and restore functionalities, and detailed logs give it the potential to make it an great tool for anyone looking to upgrade their Splunk instances with less manual effort.

Stay tuned for future updates and enhancements in future which may broaden its range even further. Enjoy your upgrading!


Looking to expedite your success with Splunk? Click here to view our Professional Service offerings.

© Discovered Intelligence Inc., 2024. Unauthorized use and/or duplication of this material without express and written permission from this site’s owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Discovered Intelligence, with appropriate and specific direction (i.e. a linked URL) to this original content.