Getting Data In

Does pkgrm stop a splunk forwarder in a clean way on Solaris?

chris
Motivator

Hi

To update our splunk forwarders we use puppet. Puppet first removes the splunk package and then installs the new package.

Is splunk stopped in a clean way when a pkgrm command is issued on Solaris?

We haven't had any trouble so far, we're just not sure if this always works

Thanks,

Chris

0 Karma
1 Solution

pde
Path Finder

preremove executes this:

if [ -x $SPLUNK_HOME/bin/splunk ] ; then
    echo "Attempting to stop splunk."
    $SPLUNK_HOME/bin/splunk stop
fi

So you should be fine unless you've rolled your own SMF service, as I have. In that case, you'll need to tell puppet to disable the service before it removes the package, so the SMF doesn't attempt to restart splunk while it's being removed/reinstalled.

View solution in original post

pde
Path Finder

preremove executes this:

if [ -x $SPLUNK_HOME/bin/splunk ] ; then
    echo "Attempting to stop splunk."
    $SPLUNK_HOME/bin/splunk stop
fi

So you should be fine unless you've rolled your own SMF service, as I have. In that case, you'll need to tell puppet to disable the service before it removes the package, so the SMF doesn't attempt to restart splunk while it's being removed/reinstalled.

pde
Path Finder

I assume that your puppet manifest already knows when it's going to update splunk. If that's so, then just add

service { splunk: ensure =>'stopped', }

before you fetch your distribution file and do the pkgrm/pkgadd. One would think (though YMMV, I don't actually do this myself) that you could define a splunk package and have the splunk service subscribe to it, forcing a restart when the package is updated.

0 Karma

chris
Motivator

Thanks, we do have our own SMF service but it is not setup to restart splunk automatically. So we should be ok. Or do you have an elegant way to detect, that you have to update splunk, so we could do an svcadm disable just before puppet upgrades the package?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...