Skip to content

Upgrade the Splunk Add-on for AWS

Upgrade to the latest version of the Splunk Add-on for Amazon Web Services (AWS). Upgrades to version 5.2.0 and later are possible only from version 5.0.3 or later. For upgrading the Splunk Add-on for AWS on Splunk Cloud deployments, contact your Splunk Cloud administrator.

Upgrade prerequisites

The following table displays the version where the prerequisite was introduced, and a description for each prerequisite.

Minimum Version

Prerequisite description

7.3.0

Starting in version 7.3.0 of the Splunk Add-on for AWS, the checkpoint mechanism was migrated to the Splunk KV store for the Inspector, InspectorV2, Config Rules, Cloudwatch Logs and Kinesis inputs. Disable all the Inspector, InspectorV2, Config Rules and Cloudwatch Logs inputs before you upgrade the add-on to version 7.3.0. This is not applicable to the Kinesis input.

7.1.0

Starting in version 7.1.0 of the Splunk Add-on for AWS, the checkpoint mechanism was migrated to the Splunk KV store for the Billing Cost and Usage Report, Cloudwatch Metrics, and Incremental S3 inputs. Disable all the Billing Cost and Usage Report, CloudWatch metrics, and Incremental S3 inputs before you upgrade the add-on to version 7.1.0. Otherwise, you might see errors in the log files, resulting in data loss/duplication against your already configured inputs.

7.0.0

If you are using SQS-based S3 inputs and your add-on version is 7.0.0 or higher, then make sure the sqs:ChangeMessageVisibility permission is added in your AWS policy. See the Configure SQS-based S3 inputs for the Splunk Add-on for AWS topic for more information.

Version 7.0.0 of the Splunk Add-on for AWS includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. Configure the Splunk Add-on for AWS to ingest across all AWS data sources for ingesting AWS data into your Splunk platform deployment.

If you use both the Splunk Add-on for Amazon Security Lake as well as the Splunk Add-on for AWS on the same Splunk instance, then you must uninstall the Splunk Add-on for Amazon Security Lake before upgrading the Splunk Add-on for AWS to version 7.0.0 or later in order to avoid any data duplication and discrepancy issues.

6.3.0

Starting in version 6.3.0 of the Splunk Add-on for AWS, the VPC Flow log extraction format has been updated to include v3-v5 fields. Before upgrading to versions 6.3.0 and higher of the Splunk Add-on for AWS, Splunk platform deployments ingesting AWS VPC Flow Logs must update the log format in AWS VPC to include v3-v5 fields in order to ensure successful field extractions.
For more information on updating the log format in AWS VPC, see the Configure VPC Flow Logs inputs for the Splunk Add-on for AWS topic in this manual.

6.2.0

Starting in version 6.2.0 of the Splunk Add-on for AWS, the Description input is deprecated. The best practice is to use the Metadata.
After upgrading to version 6.2.0 or higher of the Splunk Add-on for AWS, the Description input created in the earlier versions will no longer continue to collect and index data and it will not be visible to the users in the inputs table. Users will not be able to create a new Description input.

6.0.0

Version 6.0.0 of the Splunk Add-on for AWS includes a merge of all the capabilities of the Splunk Add-on for Amazon Kinesis Firehose. This means you can configure the Splunk Add-on for AWS to ingest across all AWS data sources for ingesting AWS data into Splunk.

If you use both the Splunk Add-on for Amazon Kinesis Firehose as well as the Splunk Add-on for AWS on the same Splunk instance, then you must uninstall the Splunk Add-on for Amazon Kinesis Firehose after upgrading the Splunk Add-on for AWS to version 6.0.0 or later in order to avoid any data duplication and discrepancy issues.

Data that you previously onboarded through the Splunk Add-on for Amazon Kinesis Firehose will still be searchable, and your existing searches will be compatible with version 6.0.0 of the Splunk Add-on for AWS.

If you are not currently using the Splunk Add-on for Amazon Kinesis Firehose, but plan to use it in the future, then the best practice is to download and configure version 6.0.0 or later of the Splunk Add-on for AWS, instead of the Splunk Add-on for Amazon Kinesis Firehose.

Upgrade steps

  1. Verify that you are running version 8.0.0 or later of the Splunk platform.
  2. (Optional) Plan your Splunk Enterprise upgrade to work with the Python 3 migration.
  3. Disable all running inputs.
  4. Disable or delete the running inputs for Description Input, if configured.
  5. Delete the pycache directory found in $SPLUNK_HOME/etc/apps/Splunk_TA_aws/pycache.
  6. (Optional) If you use both the Splunk Add-on for Amazon Kinesis Firehose and the Splunk Add-on for AWS on the same Splunk instance, then you must uninstall the Splunk Add-on for Amazon Kinesis Firehose, including removal of the existing Splunk_TA_aws-kinesis-firehose folder from all applicable $SPLUNK_HOME app directories, after upgrading the Splunk Add-on for AWS to version 6.0.0 or later. This is in order to avoid any data duplication and discrepancy issues. Data that you previously onboarded through the Splunk Add-on for Amazon Kinesis Firehose will still be searchable, and your existing searches will be compatible with version 6.0.0 or later of the Splunk Add-on for AWS.
  7. (Optional) Upgrade to version 5.0.3 of the Splunk Add-on for AWS, if you have not done so already.
  8. Download the latest version of the Splunk Add-on for AWS from Splunkbase.
  9. Install the latest version of the Splunk Add-on for AWS.
  10. If any Description input was created using an earlier version of the add-on, create a new Metadata input as a replacement for it.
  11. If your inputs were configured using a version of this add-on earlier than 5.1.0, Reformat the queue URL for all SQS-based s3 inputs to use regional endpoints:
    1. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/, and open the inputs.conf file using a text editor.
    2. Navigate to the [aws_sqs_based_s3://<input_name>] stanza, and reformat the queue URL for all SQS-based s3 inputs using the following new url format: Old URL format:
      https://<aws_region>.queue.amazonaws.com/<account_id>/<queue_name> New URL format:
      https://sqs.<aws_region>.amazonaws.com/<account_id>/<queue_name>
    3. Save your changes.
  12. Restart your Splunk platform deployment.
  13. Enable all inputs.