

- #Splunk universal forwarder download how to
- #Splunk universal forwarder download update
- #Splunk universal forwarder download upgrade
#Splunk universal forwarder download how to
Now I need to figure out how to get the -accept license to be accepted again. That did work when it came to installing it.

Let me know how you get on, this has been an interesting problem to debug! This will prevent the rapid looping and allow the UF to fire-up and connect to your DS if you need to perform a roll-back e.g.:Īlso, please consider adding more logging (to a log file) and error checking to your upgrade.sh too. If you really do wish to push forward with this method, then consider changing your script interval to a cron. This app would've constantly downed the UF before it had a chance to phone home to your deployment server(s), preventing a roll-back. Note that this will prevent your echo from reaching Splunk in upgrade.sh so you might want to move it to the wrapper.sh.Ī word to the wise: Going full-circle, this is exactly what I was referring to at the start of this answer: remote upgrades like this can brick the UF in unpredictable ways. ( /opt/splunkforwarder/etc/apps/splunk_upgrade_lin_v8/bin/upgrade.sh & ) > /dev/null 2>&1 The simplest way to get around this is to either remove the -v argument from tar or (the safer option) redirect the STDOUT and STDERR when invoking upgrade.sh as follows: After we stop Splunk, upgrade.sh's STDOUT pipe has no reader, and when we try to write with it with tar, a SIGPIPE signal is raised which causes tar to exit. These are pipes specifically set-up by Splunk to redirect the script's outputs to the internal mechanisms that deal with event forwarding. When invoking upgrade.sh with a double-fork, upgrade.sh inherits the file descriptors of the wrapper.sh. In this case, tar is writing to STDOUT because of the -v (verbose) argument in your script. The tar command is writing to a pipe with no reader. In my recreation, the tar command is returning a 141 exit code, which corresponds with (141 - 128=13) SIGPIPE signal.

#Splunk universal forwarder download upgrade
The issue preventing the upgrade is the tar command failing to unpack the new Splunk tgz. The reason this process is looping is because the upgrade is not working. What I'm observing is that the UF enters a loop of being up and down because the script runs instantly and then very quickly stops the UF. I copied your scripts like-for-like into an app. That being said, I can recreate your issue.
#Splunk universal forwarder download update
You can brick your forwarders using remote update scripts like this. Does Anyone has a work around with this?įirstly, an obligatory warning: Splunk does not support self-invoked updates. Any version after that, splunk just stops once the app is assigned to the client, then the splunkforwarder shuts down and doesn't come back until I force remove the app (rm -rf) and restart splunk. This custom apps work completely fine with 7.2.6. In the local directory, this is what I have listed. In the bin directory, the script above is the upgrade.sh and the wrapper.sh I created points to this upgrade.sh In the static folder, it has the splunkforwarder-8.2.2-87344edfcdb4-Linux-x86_64.tgz. $SPLUNK_HOME/bin/splunk start -accept-license -answer-yes Tar -xvf $SPLUNK_HOME/etc/apps/splunk_upgrade_lin_v8/static/splunkforwarder-8.2.2-87344edfcdb4-Linux-x86_64.tgz -C /opt Here is the custom app.ĬVER=`cat $SPLUNK_HOME/etc/splunk.version | grep VERSION | cut -d= -f2` However, once it shuts down, it does not restart or upgrade the server. I created a another app that has the exact same features as version 7.2.6. However, The custom app is a replica of 7.2.6. Problem: The Splunk Universal Forwarders are not upgrading from version 7.2.6 to Version 8 using the custom app I developed. Hello, I am having issues with my splunk universal fowarders.
