Upgrade

Upgrade questions Answers
Have you checked latest system requirements?
Are you upgrading from 4.1 to 4.2 on a dedicated search head?
  • Follow the steps below
Are you upgrading from 3.x to 4.x?
Are you upgrading from 4.0 deployed on a SHC?
Are you upgrading from 4.0 to 4.1 or 4.2?
Are you using search head clustering (SHC)?

Warning

The following upgrade scenarios should be performed in conjunction with support from Prelert:

  • Upgrade from Anomaly Detective v3.x to v4.x
  • Upgrade from Anomaly Detective v4.0 to v4.2 if you have v4.0 deployed on a search head cluster

The upgrade procedure detailed below requires the Prelert app to be disabled and a Splunk restart. This allows the anomaly detection native processes and configuration files to be updated, so please schedule appropriately.

Upgrade via Splunkweb

  1. Make sure you are logged in as a user with the admin role
  2. On the App menu, select Manage apps…
  3. Find the Prelert Anomaly Detective app in the list of installed apps and disable it.
  4. Restart Splunk so that this change takes effect
  5. Return to Manage apps… and click Install app from file button
  6. Choose the file prelert.tar.gz
  7. Check the Upgrade app checkbox
  8. Click Upload

The upload will commence - usually this will not take too long, but on slow/busy machines it may take long enough that Splunkweb may time out - in the event that Splunkweb times out wait a minute and then refresh the browser, because sometimes the installation succeeds despite the timeout message - if the timeout means the app hasn’t been installed at all, instead upgrade via the CLI (below)

  1. Restart Splunk

Splunk requires a mandatory restart after uploading the app.

  1. Re-enable the Prelert app now before restarting Splunk by going to App / Manage Apps…
  2. Restart Splunk

Splunk requires a mandatory restart after re-enabling the app.

  1. Refresh cached browser content; as a user with the admin role browse to:

    http://<splunkhost>:<port>/en_US/_bump

This will ensure that content cached by web browsers will be refreshed.

Upgrade via the CLI

  1. Log onto the Splunk server and first disable the app and restart Splunk:

    > $SPLUNK_HOME/bin/splunk disable app prelert
    > $SPLUNK_HOME/bin/splunk restart
    
  2. After the Splunk restart, it is beneficial to ensure there are no Prelert processes still running and wait for them to finish or manually terminate them:

    > ps -ef | grep "prelert_"
    
  3. Then invoke the upgrade:

    > $SPLUNK_HOME/bin/splunk install app /path/to/prelert.tar.gz -update true
    
  4. Then re-enable the Prelert app:

    > $SPLUNK_HOME/bin/splunk enable app prelert
    
  5. Restart Splunk:

    > $SPLUNK_HOME/bin/splunk restart
    

Splunk requires a mandatory restart after re-enabling the app.

  1. Refresh cached browser content; as a user with the admin role browse to:

    http://<splunkhost>:<port>/en_US/_bump
    

This will ensure that content cached by web browsers will be refreshed.

Upgrade via an SHC deployer

  1. On your deployer machine, edit the file $SPLUNK_HOME/etc/shcluster/apps/prelert/default/app.conf from the old version of Anomaly Detective left there from your previous installation, and change the state = enabled line to state = disabled

  2. Push the disabled app to your search head cluster:

    > $SPLUNK_HOME/bin/splunk apply shcluster-bundle -target "https://<searchhead-in-cluster>:8089" -auth admin:changeme
    
  3. Answer y when informed that you will trigger rolling restarts of the cluster

  4. Wait a couple of minutes for the restart to take effect and fully disable Anomaly Detective across the cluster

  5. Expand the new version of the Anomaly Detective app on your deployer machine:

    > cd $SPLUNK_HOME/etc/shcluster/apps
    > tar zxvf /path/to/prelert.tar.gz
    
  6. Push the updated app to your search head cluster:

    > $SPLUNK_HOME/bin/splunk apply shcluster-bundle -target "https://<searchhead-in-cluster>:8089" -auth admin:changeme
    
  7. Answer y when informed that you will trigger rolling restarts of the cluster

If you get an error message indicating that deployment to one of the search heads failed, try repeating steps 6 and 7. If there was a temporary glitch then a simple retry often succeeds.

Upgrade via an SHC deployer using Prelert Upgrade Mode

These steps only work for upgrades from Anomaly Detective 4.1.x to a later version. The advantage of Upgrade Mode is that it reduces by one the number of cluster restarts required.

  1. Make sure you are logged into Splunkweb on one of the search heads in the cluster as a user with the admin role

  2. On the About menu in the Prelert Anomaly Detective app, select Support

  3. Click the Enable Upgrade Mode button in the Upgrade Mode section

  4. Wait a couple of minutes for the Prelert native processes to pick up the setting and stop running

  5. Expand the new version of the Anomaly Detective app on your deployer machine:

    > cd $SPLUNK_HOME/etc/shcluster/apps
    > tar zxvf /path/to/prelert.tar.gz
    
  6. Push the updated app to your search head cluster:

    > $SPLUNK_HOME/bin/splunk apply shcluster-bundle -target "https://<searchhead-in-cluster>:8089" -auth admin:changeme
    
  7. Answer y when informed that you will trigger rolling restarts of the cluster

If you get an error message indicating that deployment to one of the search heads failed, try repeating steps 6 and 7. If there was a temporary glitch then a simple retry often succeeds.

  1. Log back into Splunkweb on one of the search heads in the cluster as a user with the admin role
  2. On the About menu in the Prelert Anomaly Detective app, select Support
  3. Click the Disable Upgrade Mode button in the Upgrade Mode section

It is very important to disable upgrade mode once the upgrade is complete. Anomaly Detective will not generate any results while it is in upgrade mode.

Note: When using an SHC deployer to upgrade, Splunk will first deploy the app to each search head, then perform the rolling restart of the cluster. Anomaly Detective requires a restart after installation, therefore, during the period between the deployment and the restarts the app is in an inconsistent state. Please ignore any Prelert-related errors seen in Splunk log files during this period. Only investigate further if the errors continue after the restart of the search head following an upgrade.

See also