Installation
Initial Installation
Standalone Search Head
- Install the provided
.splusing the Web GUI or the CLI. - Configure Elasticsearch instances and queries using the provided dashboards
Search Head Cluster
- Unpack the provided
.splto$SPLUNK_HOME/etc/shcluster/appson the deployer - Deploy the app bundle to the search head cluster
- Configure Elasticsearch instances and queries using one of the search head cluster members
Upgrade Paths
Upgrade from 1.1.X
ElasticSPL 1.2.0 introduces an update framework. For previous versions, the currently installed version has to be set as the latest version before installing the upgrade. This can be done either by an API call or manually using configuration files.
- Configure the latest version
curl -k https://localhost:8089/servicesNS/nobody/SA-DP-elasticspl/configs/conf-migration -d "name=version_tracking" -d "elasticspl_last_version=1.1.6" -u admin:changeme
# or
echo -e "[version_tracking]\nelasticspl_last_version = 1.1.6" > $SPLUNK_HOME/etc/apps/SA-DP-elasticspl/local/migration.conf
- Install the upgrade using the Web GUI or the CLI
- Run the upgrade tasks to migrate the existing permissions to the new model. If you are not redirected to the upgrade tasks automatically, you can access them via opening the
setupdashboard by navigating toapp/SA-DP-elasticspl/setup. - Remove any references to the deprecated roles
elastic_query_listelastic_query_runand from your existing roles and users - Replace any references to the deprecated role
elastic_query_editwith the new roleelastic_power
Upgrade from 1.0.X
Please follow the steps described in the Upgrade from 1.0.X section.