SplunkのUpgrade方法
今回はシングルインスタンス(Cluster構成じゃない)のupgrade方法を書いておきます。
テストに使ったインスタンスはAmazon Linux(4.14.88-88.76.amzn2.x86_64)です。
splunk version check
[root@suda-demo01 ec2-user]# /opt/splunk/bin/splunk --version
Splunk 7.2.4 (build 8a94541dcfac)
[root@suda-demo01 ec2-user]#
下記サイトから、モジュールをダウンロード
Splunkを停止する
[root@suda-demo01 ec2-user]# /opt/splunk/bin/splunk stop
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
[ OK ]
Stopping splunk helpers...
[ OK ]
Done.
[root@suda-demo01 ec2-user]#
停止後、アップグレード実施
[root@suda-demo01 ec2-user]# rpm -Uhv splunk-7.2.4.2-fb30470262e3-linux-2.6-x86_64.rpm
警告: splunk-7.2.4.2-fb30470262e3-linux-2.6-x86_64.rpm: ヘッダー V4 RSA/SHA256 Signature、鍵 ID b3cd4420: NOKEY
準備しています... ################################# [100%]
This looks like an upgrade of an existing Splunk Server. Attempting to stop the installed Splunk Server...
splunkd is not running. [失敗]
更新中 / インストール中...
1:splunk-7.2.4.2-fb30470262e3 ################################# [ 50%]
complete
整理中 / 削除中...
2:splunk-7.2.4-8a94541dcfac ################################# [100%]
[root@suda-demo01 ec2-user]#
splunk 起動
起動時にvalidationが実行されるので、エラーが出力された場合はメッセージを確認する。
(以前利用していたパラーメターがなくなったりしているので、.specファイルをみて、各configのパラメータシートを確認する)
[root@suda-demo01 ec2-user]# /opt/splunk/bin/splunk start --accept-license --answer-yes
This appears to be an upgrade of Splunk.
--------------------------------------------------------------------------------)
Splunk has detected an older version of Splunk installed on this machine. To
finish upgrading to the new version, Splunk's installer will automatically
update and alter your current configuration files. Deprecated configuration
files will be renamed with a .deprecated extension.
You can choose to preview the changes that will be made to your configuration
files before proceeding with the migration and upgrade:
If you want to migrate and upgrade without previewing the changes that will be
made to your existing configuration files, choose 'y'.
If you want to see what changes will be made before you proceed with the
upgrade, choose 'n'.
Perform migration and upgrade without previewing configuration changes? [y/n] y
-- Migration information is being logged to '/opt/splunk/var/log/splunk/migration.log.2019-03-23.08-36-51' --
Migrating to:
VERSION=7.2.4.2
BUILD=fb30470262e3
PRODUCT=splunk
PLATFORM=Linux-x86_64
Copying '/opt/splunk/etc/myinstall/splunkd.xml' to '/opt/splunk/etc/myinstall/splunkd.xml-migrate.bak'.
Checking saved search compatibility...
Checking for possible timezone configuration errors...
Handling deprecated files...
Checking script configuration...
Copying '/opt/splunk/etc/myinstall/splunkd.xml.cfg-default' to '/opt/splunk/etc/myinstall/splunkd.xml'.
Deleting '/opt/splunk/etc/system/local/field_actions.conf'.
Moving '/opt/splunk/share/splunk/search_mrsparkle/modules' to '/opt/splunk/share/splunk/search_mrsparkle/modules.old.20190323-083652'.
Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
The following apps might contain lookup table files that are not exported to other apps:
-----省略-----
Splunk> Be an IT superhero. Go home early.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _internal _introspection _telemetry _thefishbucket add_on_builder_index cim_modactions history iot_pm iot_pm_stash main summary unix_summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunk/splunk-7.2.4.2-fb30470262e3-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Done
[ OK ]
Waiting for web server at http://127.0.0.1:8000 to be available............................. Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://suda-demo01:8000
動作確認
Versionがあがっていることを確認
[root@suda-demo01 ec2-user]# /opt/splunk/bin/splunk --version
Splunk 7.2.4.2 (build fb30470262e3)
[root@suda-demo01 ec2-user]#
SPLで過去データ、現在のデータが検索できることを確認する。(データが投入されつづけてるindexを確認した方がよい)
index=_internal (log_level=ERROR OR log_level=WARN)
index=main
まとめ
こんな感じで、簡単にupgradeできます。
注意点として、upgrade実行すると、各種設定ファイル(etc/apps/xxx/defaultなど)のdefaultファイルはすべて
上書きされるので、設定ファイルを編集したい場合はlocal配下を編集しましょう。