Just a small post with the instructions on upgrading Splunk on Ubuntu Linux.
First download the Splunk update. The Splunk website also gives you the wget command, which you can use directly on the Linux commandline.
The following (bold) commands were all issued from the commandline of the Ubuntu server;
user@server:~/Downloads$ wget -O splunk-4.2.4-110225-linux-2.6-amd64.deb 'http://www.splunk.com/index.php/download_track?file=4.2.4/splunk/linux/splunk-4.2.4-110225-linux-2.6-amd64.deb&ac=&wget=true&name=wget&typed=releases'
--2011-11-10 11:34:49-- http://www.splunk.com/index.php/download_track?file=4.2.4/splunk/linux/splunk-4.2.4-110225-linux-2.6-amd64.deb&ac=&wget=true&name=wget&typed=releases
Resolving www.splunk.com... 64.127.105.40
Connecting to www.splunk.com|64.127.105.40|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://download.splunk.com/releases/4.2.4/splunk/linux/splunk-4.2.4-110225-linux-2.6-amd64.deb [following]
--2011-11-10 11:34:50-- http://download.splunk.com/releases/4.2.4/splunk/linux/splunk-4.2.4-110225-linux-2.6-amd64.deb
Resolving download.splunk.com... 64.127.105.42
Connecting to download.splunk.com|64.127.105.42|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 26421710 (25M) [application/octet-stream]
Saving to: `splunk-4.2.4-110225-linux-2.6-amd64.deb'
100%[================>] 26,421,710 614K/s in 45s
2011-11-10 11:35:36 (573 KB/s) - `splunk-4.2.4-110225-linux-2.6-amd64.deb' saved [26421710/26421710]
user@server:~/Downloads$ cd /opt/splunk/bin
user@server:/opt/splunk/bin$ sudo ./splunk stop
[sudo] password for user:
Stopping splunkweb...
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
.
Stopping splunk helpers...
Done.
user@server:/opt/splunk/bin$ sudo dpkg -i /home/user/Downloads/splunk-4.2.4-110225-linux-2.6-amd64.deb
(Reading database ... 164942 files and directories currently installed.)
Preparing to replace splunk 4.2.3-105575 (using .../splunk-4.2.4-110225-linux-2.6-amd64.deb) ...
This looks like an upgrade of an existing Splunk Server. Attempting to stop the installed Splunk Server...
splunkweb is not running.
splunkd is not running.
Unpacking replacement splunk ...
Setting up splunk (4.2.4-110225) ...
----------------------------------------------------------------------
Splunk has been updated in:
/opt/splunk
Splunk has not been restarted yet.
To run the migration and start Splunk, run the command:
/opt/splunk/bin/splunk start
To use the Splunk Web interface, point your browser at:
http://server:8000
Complete documentation is at http://www.splunk.com/r/docs
----------------------------------------------------------------------
user@server:/opt/splunk/bin$ sudo ./splunk start --accept-license
This appears to be an upgrade of Splunk.
--------------------------------------------------------------------------------)
Splunk has detected an older version of Splunk installed on this machine. To
finish upgrading to the new version, Splunk's installer will automatically
update and alter your current configuration files. Deprecated configuration
files will be renamed with a .deprecated extension.
You can choose to preview the changes that will be made to your configuration
files before proceeding with the migration and upgrade:
If you want to migrate and upgrade without previewing the changes that will be
made to your existing configuration files, choose 'y'.
If you want to see what changes will be made before you proceed with the
upgrade, choose 'n'.
Perform migration and upgrade without previewing configuration changes? [y/n] y
-- Migration information is being logged to '/opt/splunk/var/log/splunk/migration.log.2011-11-10.11-40-36' --
Migrating to:
VERSION=4.2.4
BUILD=110225
PRODUCT=splunk
PLATFORM=Linux-x86_64
Copying '/opt/splunk/etc/myinstall/splunkd.xml' to '/opt/splunk/etc/myinstall/splunkd.xml-migrate.bak'.
Checking saved search compatibility...
Handling deprecated files...
Checking script configuration...
Copying '/opt/splunk/etc/myinstall/splunkd.xml.cfg-default' to '/opt/splunk/etc/myinstall/splunkd.xml'.
Deleting '/opt/splunk/etc/system/local/field_actions.conf'.
Moving '/opt/splunk/share/splunk/search_mrsparkle/modules' to '/opt/splunk/share/splunk/search_mrsparkle/modules.old.20111110-114038'.
Moving '/opt/splunk/share/splunk/search_mrsparkle/modules.new' to '/opt/splunk/share/splunk/search_mrsparkle/modules'.
The following apps might contain lookup table files that are not exported to other apps:
Splunk_CiscoFirewalls
Such lookup table files could only be used within their source app. To export them globally and allow other apps to access them, add the following stanza to each /opt/splunk/etc/apps/<app_name>/metadata/local.meta file:
[lookups]
export = system
For more information, see http://www.splunk.com/base/Documentation/latest/Developer/Step5SetPermissions#make_objects_globally_available.
Checking for possible UI view conflicts...
Checking index metadata...
Splunk> All batbelt. No tights.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Checking index directory...
Validated databases: _audit _blocksignature _internal _thefishbucket history main summary
Done
Success
Checking conf files for typos...
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Done.
Starting splunkweb... Done.
If you get stuck, we're here to help.
Look for answers here: http://www.splunk.com/base/Documentation
The Splunk web interface is at http://server:8000
user@server:/opt/splunk/bin$ sudo ./splunk enable boot-start
update-rc.d: warning: /etc/init.d/splunk missing LSB information
update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
System start/stop links for /etc/init.d/splunk already exist.
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.
user@server:/opt/splunk/bin$
And you're running the latest version of Splunk on your Ubuntu server