Skip to content

Upgrade the Splunk Add-on for Microsoft Windows in a distributed deployment

For optimized use of your Splunk license, upgrade the Splunk Add-on for Windows by installing it on your Splunk platform components in the following order:

  • Search heads
  • Search head clusters
  • Nonclustered indexers, Windows heavy forwarders, and intermediate forwarders
  • Clustered indexers
  • Deployment servers

Upgrade the Splunk Add-on for Microsoft Windows on a search head

Follow these steps to install your upgraded version of the Splunk Add-on for Windows on each search head:

  1. Download the upgraded version of the Splunk Add-on for Microsoft Windows from Splunkbase.
  2. Expand your downloaded file.
  3. On each search head, copy the expanded folder into the $SPLUNK_HOME/etc/apps directory.
  4. Restart each search head.

Upgrade the Splunk Add-on for Microsoft Windows on a search head cluster

To upgrade an add-on on a search head cluster, remove the previous version and push the upgraded version to the cluster:

  1. Remove the existing Splunk_TA_Windows folder from the $SPLUNK_HOME/etc/shcluster/apps directory.
  2. Push this change to the cluster using the splunk apply shcluster-bundle command.
  3. Download the upgraded version of the Splunk Add-on for Microsoft Windows from Splunkbase.
  4. Expand your downloaded file.
  5. Copy the expanded folder into the $SPLUNK_HOME/etc/shcluster/apps directory.
  6. Push the upgraded version to the cluster using the splunk apply shcluster-bundle command.

Upgrade the Splunk Add-on for Microsoft Windows on nonclustered indexers and intermediate forwarders

Complete the following steps to upgrade these components:

  1. Download the upgraded version of the Splunk Add-on for Microsoft Windows from Splunkbase.
  2. Expand your downloaded file to a temporary location
  3. Remove the following files:
<app>/bin
<app>/default/eventgen.conf
<app>/default/inputs.conf
<app>/default/wmi.conf
<app>/default/indexes.conf
  1. Copy the expanded Splunk_TA_Windows folder to the $SPLUNK_HOME/etc/appsdirectory.

Upgrade the Splunk Add-on for Microsoft Windows on an indexer cluster

Follow these steps to upgrade the Splunk Add-on for Microsoft Windows on each of your indexer clusters:

  1. Download the upgraded version of the Splunk Add-on for Microsoft Windows from Splunkbase.
  2. Expand your downloaded file.
  3. Review the use of index in all inputs associated with the Splunk Add-on for Microsoft Windows and identify all indexes.
  4. Ensure each index has been defined in indexes.conf in the appropriate location under $SPLUNK_HOME/etc/master_apps.
  5. Copy the expanded Splunk_TA_Windows folder to the $SPLUNK_HOME/etc/master_apps directory on the cluster master.
  6. Apply the cluster bundle.

Upgrade the Splunk Add-on for Microsoft Windows using a deployment server

You can use a deployment server to upgrade the Splunk Add-on for Microsoft Windows in your distributed deployment:

  1. Download the upgraded version of the Splunk Add-on for Microsoft Windows from Splunkbase.
  2. Expand your downloaded file.
  3. Copy the expanded Splunk_TA_Windows folder to the $SPLUNK_HOME/etc/deployment-apps directory.
  4. Restart the deployment server.