Skip to content

Upgrade the Splunk Add-on for Windows in a distributed deployment

For optimized use of your Splunk license, upgrade the Splunk Add-on for Windows by installing it on your Splunk platform components in the following order:

  • Search heads
  • Search head clusters
  • Nonclustered indexers, Windows heavy forwarders, and intermediate forwarders
  • Clustered indexers
  • Deployment servers

Upgrade the Splunk Add-on for Windows on a search head

Follow these steps to install your upgraded version of the Splunk Add-on for Windows on each search head:

  • Download the upgraded version of the Splunk Add-on for Windows from Splunkbase
  • Expand your downloaded file
  • On each search head, copy the expanded folder into the $SPLUNK_HOME/etc/apps directory
  • Restart each search head

Upgrade the Splunk Add-on for Windows on a search head cluster

To upgrade an add-on on a search head cluster, remove the previous version and push the upgraded version to the cluster:

  • Remove the existing Splunk_TA_Windows folder from the $SPLUNK_HOME/etc/shcluster/apps directory.
  • Push this change to the cluster using the splunk apply shcluster-bundle command.
  • Download the upgraded version of the Splunk Add-on for Windows from Splunkbase
  • Expand your downloaded file.
  • Copy the expanded folder into the $SPLUNK_HOME/etc/shcluster/apps directory.
  • Push the upgraded version to the cluster using the splunk apply shcluster-bundle command

Upgrade the Splunk Add-on for Windows on nonclustered indexers and intermediate forwarders

Complete the following steps to upgrade these components:

  • Download the upgraded version of the Splunk Add-on for Windows from Splunkbase.
  • Expand your downloaded file to a temporary location

  • Remove the following files: 

    <app>/bin
<app>/default/eventgen.conf
<app>/default/inputs.conf
<app>/default/wmi.conf
<app>/default/indexes.conf

  • Copy the expanded Splunk_TA_Windows folder to the $SPLUNK_HOME/etc/appsdirectory

Upgrade the Splunk Add-on for Windows on an indexer cluster

Follow these steps to upgrade the Splunk add-on for Windows on each of your indexer clusters:

  • Download the upgraded version of the Splunk Add-on for Windows from Splunkbase
  • Expand your downloaded file
  • Review the use of index in all inputs associated with the Splunk Add-on for Windows and identify all indexes
  • Ensure each index has been defined in indexes.conf in the appropriate location under $SPLUNK_HOME/etc/master_apps
  • Copy the expanded Splunk_TA_Windows folder to the $SPLUNK_HOME/etc/master_apps directory on the cluster master.
  • Apply the cluster bundle

Upgrade the Splunk Add-on for Windows using a deployment server

You can use a deployment server to upgrade the Splunk Add-on for Windows in your distributed deployment:

  • Download the upgraded version of the Splunk Add-on for Windows from Splunkbase
  • Expand your downloaded file
  • Copy the expanded Splunk_TA_Windows folder to the $SPLUNK_HOME/etc/deployment-apps directory
  • Restart the deployment server