- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Do splunk upgrades ever remove any files?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The upgrade process on linux is basically to unpack the tgz file over the existing splunk home directory.
I understand that will add any new file where they need to be, update any file that needs updating, but what about the files that are no longer needed after the upgrade? Are they ever removed or do we just accumulate rubbish over the years?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you update/upgrade in situ The Right Way™, no - [almost] nothing "old" is ever removed: all you're ever doing is unpacking new files overtop of old ones and/or adding new files.
However, the volume of "rubbish" you accumulate "over the years" is pretty darn tiny - maybe on the order of a couple megs every time you update.
If you want to avoid even those few megs of accumulating "junk files", you can always use something like Ansible to deploy new Splunk hosts at the current rev as new installs, add them into your environment (all those pass4symkey entries, etc), then decommision old hosts, then update to the next rev.
That would ensure you're never holding more than one version's "rubbish" on your hosts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you update/upgrade in situ The Right Way™, no - [almost] nothing "old" is ever removed: all you're ever doing is unpacking new files overtop of old ones and/or adding new files.
However, the volume of "rubbish" you accumulate "over the years" is pretty darn tiny - maybe on the order of a couple megs every time you update.
If you want to avoid even those few megs of accumulating "junk files", you can always use something like Ansible to deploy new Splunk hosts at the current rev as new installs, add them into your environment (all those pass4symkey entries, etc), then decommision old hosts, then update to the next rev.
That would ensure you're never holding more than one version's "rubbish" on your hosts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. Maybe things are not too bad for splunk core.
Have you ever used Enterprise Security? It has a health check feature that reveals a LOT of "unshipped" files, and a significant portion of these really do not look like anything the team could ever have created themselves. So I believe they are accumulated junk, except I don't feel confident removing them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The same basic principles apply for all things Splunk that I've yet seen (apps, add-ons, Core, etc) - other than maybe UBA: files get overwritten, but rarely get removed
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
