Hi,
Can anyone please give me commands for these steps
1 . start the aws instance and copy the splunk binary on all hosts
2.stop the master node
3.stop all the indexers, SHs and SH deployer
4.downgrade and start the master node
5.start the indexers
6.start the sh deployer
7.start the shs
8.run splunk disable maintenence mode
9.create index xyx and push from master node
10.push dummy data frm HF on aws
11.upgrade and start the master node
12.run splunk enable maintenance mode on master node
13.start the indexers
14.start the sh deployer
15 . start the SHs
↧
Splunk upgrade question
↧
Migrating Splunk to new server and upgrading it, but with a different hostname?
Hi,
I am trying to migrate my current Splunk server to a new server and upgrade it as well.
I have already done the following:
1. backup the $SPLUNK_HOME directory
2. installed a fresh new version of Splunk 7.0.1 in a new server (running 6.3.3 currently in current server)
3. transferred over current Splunk indexed data and configs **$SPLUNK_HOME/var/lib/splunk/defaultdb** and **$SPLUNK_HOME/etc** to the new server
I am able to see the apps, however the search doesn't load at all and so does the other apps. I have a new hostname for the new server, could that be the case as to why all the apps doesn't load?
Could anyone help me understand what are the files that needs to be edited in order to get all my indexed data and apps back?
Thank you in advance! :)
↧
↧
Splunk upgrade to 7.0. List of supported apps
Hi,
Is there a handy way to find what apps/add-ons are supported in 7.0? We will be upgrading our splunk environments from 6 to 7 and have many apps.
↧
"Bad regex" warning after upgrading from Enterprise 6.5.1 to 7.0.1
After upgrading Splunk on a test server from 6.5.1 to 7.0.1, we receive the following message when starting Splunk:
01-18-2018 17:22:55.079 WARN btool-support - Bad regex value: '(?msi)(Account\s+Domain\:.*?(Account\s+Domain\:)|Account\s+Domain\:)(?!\s+(\r|\n))\s+(?[a-zA-Z0-9._[\S-\S][^\r|\n]+)', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_dest_nt_domain_Account_Domain; why: invalid range in character class
01-18-2018 17:22:55.079 WARN btool-support - Bad regex value: '(?msi)(Group\s+Domain\:.*?(Group\s+Domain\:)|Group\s+Domain\:)(?!\s+(\r|\n))\s+(?[a-zA-Z0-9._[\S-\S][^\r|\n]+)', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_dest_nt_domain_Group_Domain; why: invalid range in character class
01-18-2018 17:22:55.083 WARN btool-support - Bad regex value: '(?msi)Group\:(\s|\r|\n)(.*?Group\sName\:\s+(?[\S-\S][^(\r|\n)]+)(\r|\n))(.*?Group\sDomain\:\s+(?[\S-\S][^(\r|\n)]+)(\r|\n))', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_group_name_domain; why: invalid range in character class
01-18-2018 17:22:55.083 WARN btool-support - Bad regex value: '(?msi)Member\:(\s|\r|\n)(.*?Account\sName\:\s+(?[\S-\S][^(\r|\n)]+)(\r|\n))', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_member_dn_Account_Name; why: invalid range in character class
01-18-2018 17:22:55.083 WARN btool-support - Bad regex value: '(?msi)(New\sGroup\:|Group\:)(\s|\r|\n)(.*?Security ID:(\s+(?[^\x5C{1}]+)\x5C{1}|\s+)(?[\S-\S][^(\r|\n)]+)(\r|\n))', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_member_group_name_id_domain; why: invalid range in character class
01-18-2018 17:22:55.083 WARN btool-support - Bad regex value: '(?msi)Member\:(\s|\r|\n)(.*?Security ID:(\s+(?[^\x5C{1}]+)\x5C{1}|\s+)(?[\S-\S][^(\r|\n)]+)(\r|\n))', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_member_id_member_domain_Security_ID; why: invalid range in character class
01-18-2018 17:22:55.086 WARN btool-support - Bad regex value: '(?msi)(Logon\s+ID\:.*?(Logon\s+ID\:)|Logon\s+ID\:)(?!\s+(\r|\n))\s+(?[a-zA-Z0-9._[\S-\S][^\r|\n]+)', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_session_id; why: invalid range in character class
01-18-2018 17:22:55.087 WARN btool-support - Bad regex value: '(?msi)(?:Account\s+Domain\:(?!\s+(\r|\n))\s+(?[a-zA-Z0-9._[\S-\S][^\r|\n]+))', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_src_nt_domain_Account_Domain; why: invalid range in character class
01-18-2018 17:22:55.087 WARN btool-support - Bad regex value: '(?msi)(?:Account\s+Name\:(?!\s+(\r|\n))\s+(?[a-zA-Z0-9._[\S-\S][^\r|\n]+))', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_src_user_Account_Name; why: invalid range in character class
01-18-2018 17:22:55.087 WARN btool-support - Bad regex value: '(?msi)(Account\s+Name\:.*?(Account\s+Name\:)|Account\s+Name\:)(?!\s+(\r|\n))\s+(?[a-zA-Z0-9._[\S-\S][^\r|\n]+)', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_user_Account_Name; why: invalid range in character class
This does not prevent Splunk from running, however we're concerned about any potential impact on parsing logs.
If it helps, we have the following add-ons installed:
- Splunk Add-On for Windows Infrastructure 1.4.1
- Splunk Add-On for Microsoft Windows 4.8.4
- Splunk Add-On for Microsoft Active Directory 1.0.0
- Splunk Add-On for Microsoft Windows DNS 1.0.1
- MS Windows AD Objects 3.1.1
When I run a `grep "WinEventLog:Security" /opt/splunk/etc/apps/*/default/*` I cannot find any matches in a `props.conf` file, so I'm a little confused as to where this is being found.
Any suggestions?
↧
What is the best way to upgrade on Linux with multiple versions running on the same box?
I have two instances running on a non-production linux box, one is v6.6.3 (TST) and the other one is v7.0.1 (DEV) as I can test new features first in DEV and only later plan an upgrade of TST. Having them run both on one box is not ideal, but quick and cheap.
Installing them side by side was not too complicated using rpm -i --prefix=... to specify the installation path. Splunk detects ports are already used when starting the 2nd instance and prompts you to specify other, free ports. Both instances then run fine in parallel.
Upgrading to 7.0.2 with rpm -U is not a wise thing todo, since it will replace all installed older versions with the new one. This will thus remove the v6.6.3 instance along with upgrading the v7.0.1 instance ! Is it in my case better to 1/ rpm -e uninstall the v7.0.1 package and 2/ rpm -i install the v7.0.2 package ? Will it keep/migrate my configuration files ? my add-ons ? my data ?
↧
↧
Anyone have a good tutorial on Docker containerizing and upgrading and managing Splunk in a container environment?
All,
Anyone have a good walk through or tutorial on managing Splunk as a container? Upgrades and not loosing configs? SHC and user local files? Mounting disks for indexers into the container? That sort of thing.
↧
Why am I encountering an issue on peer server when upgrading from 7.1 to 7.2?
Hi
In my dev environment I have (all 7.1 enterprise running on RHEL6.5)
1 x Master server
2 x Peer (index servers / cluster)
2 x Search heads
I'm trying to upgrade them to 7.2
I have followed the upgrade documentation, everything was ok on all the other nodes in terms of upgrade steps, but one of the peer nodes failed with the below query. So I was wondering if anyone else has seen this or come across the same problem?
splunk start --accept-license --answer-yes
This appears to be an upgrade of Splunk.
-------------------------------------------------------------------------------- )
Splunk has detected an older version of Splunk installed on this machine. To
finish upgrading to the new version, Splunk's installer will automatically
update and alter your current configuration files. Deprecated configuration
files will be renamed with a .deprecated extension.
You can choose to preview the changes that will be made to your configuration
files before proceeding with the migration and upgrade:
If you want to migrate and upgrade without previewing the changes that will be
made to your existing configuration files, choose 'y'.
If you want to see what changes will be made before you proceed with the
upgrade, choose 'n'.
Perform migration and upgrade without previewing configuration changes? [y/n] y
-- Migration information is being logged to '/opt/splunk/var/log/splunk/migratio n.log.2018-02-05.17-41-23' --
Migrating to:
VERSION=7.0.2
BUILD=03bbabbd5c0f
PRODUCT=splunk
PLATFORM=Linux-x86_64
Copying '/opt/splunk/etc/myinstall/splunkd.xml' to '/opt/splunk/etc/myinstall/sp lunkd.xml-migrate.bak'.
An unforeseen error occurred:
Exception: , Value: [Errno 13] Permission den ied: '/opt/splunk/etc/myinstall/splunkd.xml-migrate.bak'
Traceback (most recent call last):
File "/opt/splunk/lib/python2.7/site-packages/splunk/clilib/cli.py", line 1290 , in
sys.exit(main(sys.argv))
File "/opt/splunk/lib/python2.7/site-packages/splunk/clilib/cli.py", line 1143 , in main
parseAndRun(argsList)
File "/opt/splunk/lib/python2.7/site-packages/splunk/clilib/cli.py", line 998, in parseAndRun
retVal = cList.getCmd(command, subCmd).call(argList, fromCLI = True)
File "/opt/splunk/lib/python2.7/site-packages/splunk/clilib/cli.py", line 280, in call
return self.func(args, fromCLI)
File "/opt/splunk/lib/python2.7/site-packages/splunk/clilib/control_api.py", l ine 30, in wrapperFunc
return func(dictCopy, fromCLI)
File "/opt/splunk/lib/python2.7/site-packages/splunk/clilib/_internal.py", lin e 183, in firstTimeRun
migration.autoMigrate(args[ARG_LOGFILE], isDryRun)
File "/opt/splunk/lib/python2.7/site-packages/splunk/clilib/migration.py", lin e 3091, in autoMigrate
comm.copyItem(PATH_SPLUNKD_XML, PATH_SPLUNKD_XML_BAK, dryRun)
File "/opt/splunk/lib/python2.7/site-packages/splunk/clilib/cli_common.py", li ne 1008, in copyItem
shutil.copy(src, dst)
File "/opt/splunk/lib/python2.7/shutil.py", line 119, in copy
copyfile(src, dst)
File "/opt/splunk/lib/python2.7/shutil.py", line 83, in copyfile
with open(dst, 'wb') as fdst:
IOError: [Errno 13] Permission denied: '/opt/splunk/etc/myinstall/splunkd.xml-mi grate.bak'
Please file a case online at http://www.splunk.com/page/submit_issue
Any thoughts on this would be great.
Regards
Dee
↧
How do I upgrade splunk enterprise on a server that gets its license from a license server?
I originally installed splunk light on a server. After our campus acquired a splunk enterprise license, I switched to the splunk enterprise license by pointing to the campus license server.
Everything worked fine until I tried to upgrade to splunk 7. When I try to do the upgrade, I get the error message:
"Splunk Light is already installed on this computer. Splunk Enterprise cannot be installed unless you first apply a Splunk Enterprise license."
↧
Splunk Upgrade Process - Confirmation
Hi All,
I need to upgrade Splunk Cluster . Please advise if anything is missing and my understanding is correct.
Process:
Upgrade the master node.
Upgrade the search head tier.(Rolling upgrade)
Upgrade the peer node tier. (Rolling upgrade)
( Maintenance and rolling upgrade of each server)
When we are integrating Peer nodes( indexer nodes) we have to stop search cluster and
My expectation is it will take 1 -2 hours to finish all the indexer nodes. During that time alerts and searches may fail
and the ingestion keep working.
Forwarders and DMC: What is the suggestion.
Thanks,
NP
↧
↧
What is the process of upgrading search and index cluster?
Hi All,
I need to upgrade a search and index cluster. Please advise if anything is missing and my understanding is correct.
Process:
Upgrade the master node.
Upgrade the search head tier.(Rolling upgrade)
Upgrade the peer node tier. (Rolling upgrade)
( Maintenance and rolling upgrade of each server)
When we are integrating Peer nodes( indexer nodes) we have to stop search cluster and
My expectation is it will take 1 -2 hours to finish all the indexer nodes. During that time alerts and searches may fail
and the ingestion keeps working.
Forwarders and DMC: What is the suggestion.
Thanks,
NP
↧
ssl 3.0 and AWS ELB errors with Spunk 7.0
Hi All,
I upgraded search and index clusters to 7.02 from 6,5.1
seeing the following in splunkd.log
02-11-2018 10:31:34.913 +0000 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client hello C', alert_description='handshake failure'.
and ELB AWS health checks are failing. Tried enabling all the ciphers in AWS did not help.
I am on Ubuntu 12 .
Any other changes to be done for SSL or ciphers.
Thanks,
NP
↧
Why are ssl 3.0 and AWS ELB throwing errors after the upgrade in Spunk 7.0?
Hi All,
I upgraded search and index clusters to 7.02 from 6,5.1
seeing the following in splunkd.log
02-11-2018 10:31:34.913 +0000 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client hello C', alert_description='handshake failure'.
and ELB AWS health checks are failing. Tried enabling all the ciphers in AWS did not help.
I am on Ubuntu 12 .
Any other changes to be done for SSL or ciphers.
Thanks,
NP
↧
Linux servers: After upgrading from 6.2.0 to 7.2.0, will the 6.2.0 universal forwarders be able to communicate with the new 7.0.2 enterprise components?
We are considering upgrading from 6.2.0 to version 7.0.2 All the *nix servers will be upgraded but during the upgrade process, will the 6.2.0 universal forwarders be able to communicate with the new 7.0.2 enterprise components?
Our windows servers won't be updated as we are thinking of removing the clients. Will the 6.2.0 windows universal forwarders still function with 7.0.2?
My understanding is that and enterprise components 7.0.2 should be ok to receive data from any 6.x or higher forwarder
↧
↧
Have an query while doing splunk up gradation from 6.2 to 6.5
Hi Folks,
I have read out the splunk document for Upgrade a 6.x indexer cluster to a later version of 6.x , In the document they mention the below steps to perform the up gradation.
1. Stop the master.
2. Stop all the peers and search heads.
When bringing down the peers, use the splunk stop command, not splunk offline.
3. Upgrade the master node, following the normal procedure for any Splunk Enterprise upgrade, as described in How to upgrade Splunk Enterprise in the Installation Manual. Do not upgrade the peers yet.
4. Start the master, accepting all prompts, if it is not already running.
5. Run splunk enable maintenance-mode on the master. To confirm that the master is in maintenance mode, run splunk show maintenance-mode. This step prevents unnecessary bucket fix-ups. See Use maintenance mode.
6. Upgrade the peer nodes and search heads, following the normal procedure for any Splunk Enterprise upgrade, as described in How to upgrade Splunk Enterprise in the Installation Manual.
If the search heads in the indexer cluster are members of a search head cluster, see Upgrade a search head cluster.
1. Start the peer nodes and search heads, if they are not already running.
2. Run splunk disable maintenance-mode on the master. To confirm that the master is not in maintenance mode, run splunk show maintenance-mode.
If we stop the all the indexer at a one time, will get the data loss.
Thanks,
Sridhar
↧
Why does the tstats with datamodel returns 0 results after upgrade to Splunk 6.6.5 from Splunk 6.5.3?
Hello!
Looking for some troubleshooting tips.
We have two seperate Search Heads while we migrate our Applications from Splunk Search Head Version 6.5.3 to 6.6.5.
All of our various apps work flawlessly with the upgrade, however not one of our implementations, specifically App for Web Proxies. Which utilizes tstats on the Web Data Model.
Below are the Environments and the queries run with output on the Search Head. I have also included something I am a little interested in regarding further investigation within the Job Inspector and expanding the Search Job Properties.
**Splunk 6.5.3**
| datamodel Web search
Data Model search returns expected number of events
| tstats prestats=false local=false summariesonly=false count from datamodel=Web
Returns expected number of events
{ [-]
: { [-]
type: str
}
Web.action: { [-]
type: str
}
Web.is_Proxy: { [-]
type: num
}
nodename: { [-]
type: str
}
}
fieldMetadataEvents in search job inspector
**Splunk 6.6.5**
| datamodel Web search
Data Model search returns expected number of events
| tstats prestats=false local=false summariesonly=false count from datamodel=Web
**Problem area above returns no events**
{ [-]
: { [-]
type: str
}
}
fieldMetadataEvents in search job inspector does not reflect pulling fields of the Data Model
If anyone has encountered something like this, or has a good idea on the best way to troubleshoot, I am all ears. Both search heads are pointed to similar indexers, as well as both versions of the apps installed on the Search Head are the same.
Thanks for your help!
↧
Enterprise Upgrade Path
Hi Splunk forks,
I would like to make sure if the following upgrade path is okay. We have ES 4.5.1 running on Splunk Enterprise 6.5.1 and the below is what I’m thinking.
First, Upgrade to ES 4.7.4
Second. Upgrade to Splunk 7.0
Third. Upgrade to ES 5.0
Thanks in advance.
Joon
↧
Why can the users no longer see indexes when scheduling summary indexing after upgrading to Splunk 7.0.2?
Having a major issue here. Since upgrading to the latest version of Splunk, my users are no longer able to see the list of their indexes when scheduling a search to write to summary index.
Was there a new capability that was added that we need to add to the role?
Went from 6.5.2 - > 7.0.2
Clustered environment (4 SH, 6 IDX - indexes.conf only lives on indexers)
![alt text][1]
Above is an example. For me, the "Select the summary index" field shows all the indexes I can write to (i am admin role). But for my user, it is completely blank. Not even a single value.
[1]: /storage/temp/227781-test.png
↧
↧
"ERR_CONNECTION_REFUSED localhost:8000"
I just upgraded local Splunk on my mac, and now I get this error when opening localhost:8000:
"ERR_CONNECTION_REFUSED"
I manually started and restarted Splunk from the command line but the issue persists. Any thoughts?
Thanks in advance,
L.
↧
Upgrade Enterprise Splunk from 6.2 to 7.0
Hi,
We are planning to upgrade our Enterprise Splunk from 6.2.0 to 7.0. We are currently running single Indexer and searchhead on windows server which are on 6.2 and we have forwarders running on linux and windows servers which are on 6.2.5 .
If I have to plan the upgrade, what is the order that i need to follow? i:e upgrade indexer first and than forwarders?
Also I would like to know if there is a runplan or steps on how to upgrade the indexer? and the dependencies and requirements that I need to be aware of while upgrading?
I am reading a lot of doc's but i'm lost. Any help would be greatly appreciated.
Thank you.
Divya
↧
Can you upgrade Splunk Enterprise 500Mb 6.5.2 to 7.0.2 on Windows Server 2008 R2?
Can you upgrade Splunk Enterprise 500Mb 6.5.2 to 7.0.2 on Windows Server 2008 R2?
Thank You
Best regards
Umberto Baroni
↧