Quickstart guide

The quickstart guide provides a simple path to quickly install and configure basic functions.

Manually install the remote upgrader

  1. Download the Splunk remote upgrader for Linux universal forwarders from Splunkbase at: https://splunkbase.splunk.com/app/7699. This file contains the universal forwarder upgrader package and delivery scripts. The delivery scripts deliver a new version of the universal forwarder to an already installed universal forwarder that has an active remote upgrader installed using the deployment server. For a manual installation, you only need the universal forwarder upgrader package.
  2. Extract the downloaded wrapper package and untar the downloaded file.
  3. Locate the upgrader package in the directory splunk_app_uf_remote_upgrade_linux. Note the exact filename of "splunk-upgrader-100.tgz". This is the file you will transfer to the target system in Step 4. Do not extract this file on your current system.
  4. Transfer the Upgrader Package to the Target System. Send splunk-upgrader-100.tgz as follows:
    CODE 
    scp splunk-upgrader-100.tgz splunker@10.202.15.74:/tmp

    Replace:

    • splunk-upgrader-100.tgz with your exact upgrader filename from Step 3
  5. Extract and Install on the Target system by moving move the remote upgrader package into the installation directory. Run the remote upgrader parallel to the universal forwarder home. So for example, if SPLUNK_HOME = "/opt/splunkforwarder" Copy the upgrader package into /opt.
  6. Untar the package:
    CODE 
    cp /tmp/splunk-upgrader-100.tgz /opt/
tar xf splunk-upgrader-100.tgz
  7. Install the universal forwarder remote upgrader using the default user (root permission is required) so that the universal forwarder upgrader creates its own user and/or group with minimum permissions to complete the universal forwarder upgrade. The remote upgrader's Linux daemon is then automatically installed and run as another user. Custom user/group installation options are described in Modify remote upgrader using the configuration files
  8. To start the installation process, run the command:
    CODE 
    sudo ./bin/install.sh --accept-license --create-user
  9. As the output for the installation command, you should see the universal forwarder upgrader daemon is "active (running)": RUCodeSampleActive.png
  10. If the daemon fails to start, check the installation logs in ./log/upgrade.log

Manually configure universal forwarder upgrade using the remote upgrader

  1. On splunk.com, download the universal forwarder version 9.0.0 or later and the respective .sig file. The new .sig file is available from the More > "Download x509 Signature" link for each universal forwarder package. Once this operation completes, you will have two files:
    • splunkforwarder-{version}.{extensionstion}
    • splunkforwarder-{version}.{extensionstion}.sig

    So for example:

    • splunkforwarder-9.4.0-6b4ebe426ca6-linux-amd64.tgz
    • splunkforwarder-9.4.0-6b4ebe426ca6-linux-amd64.tgz.sig
  2. Copy both files into /tmp/SPLUNK_UPDATER_MONITORED_DIR on your destination Linux universal forwarder machine. Once you have installed the remote upgrader, the directory /tmp/SPLUNK_UPDATER_MONITORED_DIR is created, and is used to receive universal forwarder packages.
  3. To trigger the upgrade, run the command:
    CODE 
    touch /tmp/SPLUNK_UPDATER_MONITORED_DIR/start_uf_upgrade
  4. For troubleshooting, review logs in $SPLUNK_HOME/log/upgrade.log. Historical data is stored in the ./history directory.

Distribute the remote upgrader package using the deployment server

  1. Download the Splunk remote upgrader for Linux universal forwarders from Splunkbase at: https://splunkbase.splunk.com/app/7699. This file contains the universal forwarder upgrader package and delivery scripts. The delivery scripts deliver a new version of the universal forwarder to the already installed universal forwarder that has an active remote upgrader installed using the deployment server. For a manual installation, you only need the universal forwarder upgrader package.
  2. Untar the downloaded file
    CODE 
    cp /tmp/splunk-upgrader-100.tgz /opt/
tar xf splunk-upgrader-100.tgz
  3. In the directory splunk_app_uf_remote_upgrade_linux, find the universal forwarder upgrader package splunk-upgrader-{version}.tgz file. You can locate this file at:
    CODE 
    splunk_app_uf_remote_upgrade_linux/default/packages/splunk-upgrader-{version}.tgz
  4. Use the deployment server to distribute the splunk-upgrader-{version}.tgz file to the universal forwarders where you plan to install the remote upgrader. For more information about using the deployment server, see Create deployment apps.
  5. Place the applications on the deployment server in the directory $SPLUNK_HOME/etc/deployment-apps. The application is delivered to the directory $SPLUNK_HOME/etc/apps on destination universal forwarders.
  6. Move the remote upgrader package into the installation directory. Run the remote upgrader parallel to the universal forwarder home. So for example, if SPLUNK_HOME = "/opt/splunkforwarder", then copy the upgrader package into /opt.
  7. Install the universal forwarder remote upgrader using the default user (root permission is required) so that the universal forwarder upgrader creates its own user and/or group with minimum permissions to complete the universal forwarder upgrade. The remote upgrader's Linux daemon is then automatically installed and run as another user. Custom user/group installation options are described in Modify remote upgrader using the configuration files
  8. To start the installation process, run the command: sudo ./bin/install.sh --accept-license --create-user
  9. As the output for the installation command, you should see the universal forwarder upgrader daemon is "active (running)": RUCodeSampleActive.png
  10. If the daemon fails to start, check the installation logs in ./log/upgrade.log

Upgrade universal forwarders using deployment server and the remote upgrader

  1. Download the Splunk remote upgrader for Linux universal forwarders from Splunkbase at: https://splunkbase.splunk.com/app/7699 This file contains the universal forwarder upgrader package and delivery scripts. The delivery scripts deliver a new version of the universal forwarder to an already installed universal forwarder that has an active remote upgrader installed using the deployment server. For a manual installation, you only need the universal forwarder upgrader package.
Note: "The Universal Forwarder package type (such as .tgz/.rpm/.deb) must align with the originally installed Universal Forwarder package type. For example, if Universal Forwarder was installed using a .rpm package, the deployment server must deliver a .rpm package to the Universal Forwarder. The Universal Forwarder cannot be upgraded using a different package type.
  1. Untar the downloaded file.
  2. In the directory splunk_app_uf_remote_upgrade_linux, find the universal forwarder upgrader package: splunk-upgrader-{version}.tgz file. You can locate this file at:
    CODE 
    splunk_app_uf_remote_upgrade_linux/default/packages/splunk-upgrader-{version}.tgz.
    • splunkforwarder-{version}.{extensionstion}
    • splunkforwarder-{version}.{extensionstion}.sig

    You should see the directory: splunk_app_uf_remote_upgrade_linux.
  3. Put the universal forwarder installation package and universal forwarder signature files into the directory:
    CODE 
    >splunk_app_uf_remote_upgrade_linux/local/packages

    You will see packages similar to this:

    RUCodeSamplePkgs.png
  4. The directory splunk_app_uf_remote_upgrade_linux is ready to be distributed to selected universal forwarders using the deployment server. When you distribute the application using the deployment server, make sure the application and Restart agent are enabled. After the application is distributed, the universal forwarder upgrade will be performed automatically. For troubleshooting, see the logs in ./log/upgrade.log.