Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I update the Apps or Add-ons in Splunk that need updating?

SamHTexas
Builder
‎03-06-2021 06:41 AM

How do I update the Apps,  Add-ons or TAs in Splunk that need updating? Am told that not a good idea to connect Splunk to the Internet. So how do apps or add ons get the latest list for example list of dark sites on the web? 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-24-2023 08:48 AM

I don't know who told you that "connecting Splunk to the Internet is a bad idea". Depending on your setup, your Splunk environment might have many different components some of which must be somehow connected to internet (for example - because they need to pull events or update other data from the Internet).

Apart from that - in production environment the decision about whether some host should be allowed to connect to some other host(s) should generally done on a case by case basis following a more or less formal risk assesment.

So there is a general rule of thumb that unless needed (and unless it's "safe enough") hosts shouldn't be connected to anything. Not just the internet.

Having said that - the options you have available will differ depending on your architecture.

If you have an all-in-one installation, you can relatively safely open the outgoing traffic to Splunk update servers (you might want to disable telemetry if you're paranoid) and you can usually update the add-ons straight from Splunk's webui.

But it won't work in case of apps deployed via Deployment servers (in this case you have to upload a new version onto the DS, reload its config and let the forwarders pull the updated app). Or in clustered environment (both indexer clusters as well as search-head clusters). In those scenarios you have to manually download updated versions and put them in apropriate directories on the managing components (cluster manager and search-head deployer respectively).

If you have other types of data (like threat intel), well, it will depend on what kind of data it is and how it's configured. There is no general "fit for all" answer. Often just opening outgoing traffic to needed hosts will suffice.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-06-2021 08:00 AM

HI @SamHTexas,

about Apps on your Splunk Servers, you have to:

  • check the version of the installed Apps (if your Server is connected to internet it notice the neede update otherwise you have to manually check them on Splunkbase),
  • list all the Apps to update,
  • download them from Splunkbase on your computer;
  • connect to Splunk GUI as an Administrator,
  • update one by one the apps.

About the TAs installed on your Forwarders, you have to:

  • check the version of the installed Apps;
  • list all the Apps to update,
  • download them from Splunkbase on your computer;
  • if you have a Deployment Server:
    • connect to Deployment Server in SSH,
    • copy the TAs to update on the DS,
    • untar the TAs on the DS,
    • copy the TAs in the $SPLUNK_HOME/etc/deployment-apps folder,
    • you can force the push using the command "./splunk reload deploy-server";
  • If you haven't the DS, you have to do the same steps in all your Forwarders:
    • connect to Forwarder in SSH,
    • copy the TAs to update,
    • untar the TAs on the DS,
    • copy the TAs in the $SPLUNK_HOME/etc/apps folder,
    • restart splunk on Forwarder.

Ciao.

Giuseppe

0 Karma
Reply

SplunkDash
Motivator
‎06-24-2023 07:05 AM

Hello @gcusello,

How I would upgrade SPLUNK AWS-Add-On from v6.1.0 to version v7.0. Currently used v6.1.0 has been configured to pull data from S3 bucket, how  can I upgrade this v6.1.0 to v7.1 without impacting my current configurations.  Won't it be overwritten everything (including current configurations) if I use following option? Any recommendations will be highly appreciated. Thank you!

 

SplunkDash_0-1687615381675.png

 

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-24-2023 07:25 AM

Hi @SplunkDash ,

upgrades maintain all the custom configurations (that are stored in the local folder), so you don't risk to loose them.

Anyway, read the documentation to understand is there's something different.

To be more sure you could back-up the old version of the app, but it shouldn't be a problem.

Ciao.

Giuseppe

Reply

SplunkDash
Motivator
‎06-24-2023 07:33 AM

Hello @gcusello,

Thank you so much for your quick response, truly appreciate it. I think some custom configurations have also been made in default folder. But let me double check and reach out you if needed. Thank you again.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-24-2023 07:36 AM

Hi @SplunkDash ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply

SplunkDash
Motivator
‎06-24-2023 08:24 AM

@gcusello 

Thank you so much again and certainly will do.

I just double checked and yes, all configurations have been done in local folder. So, we should be fine with that as you mentioned. One more thing to confirm with you:  if we pull AWS-Add-On v7.0.  tgz file and check on Upgrade App (please see screenshot below), system will do the rest as needed to upgrade App, correct?

 

SplunkDash_0-1687619674290.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...