LoginSignup
3
6

More than 5 years have passed since last update.

@saeoshi

SplunkのUpgrade方法

Last updated at Posted at 2019-03-23

SplunkのUpgrade方法

今回はシングルインスタンス(Cluster構成じゃない)のupgrade方法を書いておきます。
テストに使ったインスタンスはAmazon Linux(4.14.88-88.76.amzn2.x86_64)です。

splunk version check

[root@suda-demo01 ec2-user]# /opt/splunk/bin/splunk --version
Splunk 7.2.4 (build 8a94541dcfac)
[root@suda-demo01 ec2-user]#

下記サイトから、モジュールをダウンロード

Splunkを停止する


[root@suda-demo01 ec2-user]# /opt/splunk/bin/splunk stop
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.

                                                           [  OK  ]
Stopping splunk helpers...
                                                           [  OK  ]
Done.
[root@suda-demo01 ec2-user]#

停止後、アップグレード実施


[root@suda-demo01 ec2-user]# rpm -Uhv splunk-7.2.4.2-fb30470262e3-linux-2.6-x86_64.rpm
警告: splunk-7.2.4.2-fb30470262e3-linux-2.6-x86_64.rpm: ヘッダー V4 RSA/SHA256 Signature、鍵 ID b3cd4420: NOKEY
準備しています...              ################################# [100%]
This looks like an upgrade of an existing Splunk Server. Attempting to stop the installed Splunk Server...
splunkd is not running.                                    [失敗]
更新中 / インストール中...
   1:splunk-7.2.4.2-fb30470262e3      ################################# [ 50%]
complete
整理中 / 削除中...
   2:splunk-7.2.4-8a94541dcfac        ################################# [100%]
[root@suda-demo01 ec2-user]#

splunk 起動

起動時にvalidationが実行されるので、エラーが出力された場合はメッセージを確認する。
(以前利用していたパラーメターがなくなったりしているので、.specファイルをみて、各configのパラメータシートを確認する)

[root@suda-demo01 ec2-user]# /opt/splunk/bin/splunk start --accept-license --answer-yes

This appears to be an upgrade of Splunk.
--------------------------------------------------------------------------------)

Splunk has detected an older version of Splunk installed on this machine. To
finish upgrading to the new version, Splunk's installer will automatically
update and alter your current configuration files. Deprecated configuration
files will be renamed with a .deprecated extension.

You can choose to preview the changes that will be made to your configuration
files before proceeding with the migration and upgrade:

If you want to migrate and upgrade without previewing the changes that will be
made to your existing configuration files, choose 'y'.
If you want to see what changes will be made before you proceed with the
upgrade, choose 'n'.


Perform migration and upgrade without previewing configuration changes? [y/n] y

-- Migration information is being logged to '/opt/splunk/var/log/splunk/migration.log.2019-03-23.08-36-51' --

Migrating to:
VERSION=7.2.4.2
BUILD=fb30470262e3
PRODUCT=splunk
PLATFORM=Linux-x86_64

Copying '/opt/splunk/etc/myinstall/splunkd.xml' to '/opt/splunk/etc/myinstall/splunkd.xml-migrate.bak'.

Checking saved search compatibility...

Checking for possible timezone configuration errors...

Handling deprecated files...

Checking script configuration...

Copying '/opt/splunk/etc/myinstall/splunkd.xml.cfg-default' to '/opt/splunk/etc/myinstall/splunkd.xml'.
Deleting '/opt/splunk/etc/system/local/field_actions.conf'.
Moving '/opt/splunk/share/splunk/search_mrsparkle/modules' to '/opt/splunk/share/splunk/search_mrsparkle/modules.old.20190323-083652'.
Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
The following apps might contain lookup table files that are not exported to other apps:

-----省略-----

Splunk> Be an IT superhero. Go home early.

Checking prerequisites...
        Checking http port [8000]: open
        Checking mgmt port [8089]: open
        Checking appserver port [127.0.0.1:8065]: open
        Checking kvstore port [8191]: open
        Checking configuration...  Done.
        Checking critical directories...        Done
        Checking indexes...
                Validated: _audit _internal _introspection _telemetry _thefishbucket add_on_builder_index cim_modactions history iot_pm iot_pm_stash main summary unix_summary
        Done
        Checking filesystem compatibility...  Done
        Checking conf files for problems...
        Done
        Checking default conf files for edits...
        Validating installed files against hashes from '/opt/splunk/splunk-7.2.4.2-fb30470262e3-linux-2.6-x86_64-manifest'
        All installed files intact.
        Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done
                                                           [  OK  ]

Waiting for web server at http://127.0.0.1:8000 to be available............................. Done


If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://suda-demo01:8000

動作確認

Versionがあがっていることを確認


[root@suda-demo01 ec2-user]# /opt/splunk/bin/splunk --version
Splunk 7.2.4.2 (build fb30470262e3)
[root@suda-demo01 ec2-user]#

SPLで過去データ、現在のデータが検索できることを確認する。(データが投入されつづけてるindexを確認した方がよい)


index=_internal (log_level=ERROR OR log_level=WARN)
index=main

まとめ

こんな感じで、簡単にupgradeできます。
注意点として、upgrade実行すると、各種設定ファイル(etc/apps/xxx/defaultなど)のdefaultファイルはすべて
上書きされるので、設定ファイルを編集したい場合はlocal配下を編集しましょう。

3
6
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
3
6