Upgrade on Linux (Distributed)
Follow the steps below to upgrade the UXM monitoring solution On-Premise, the software can be downloaded from here: Download server software.
Please note that older uxmapp installations calls app and indexes for mcg_uxm, newer installations uses uxmapp_ as prefix for app and indexes
Upgrade Splunk
Ensure Splunk are upgraded to newest version on both Search Heads, Indexers and the Heavy Forwarder where UXM is installed, Splunk 9, 9.1 and newer are supported by UXM.
Upgrade Indexer
No upgrades needed.
Upgrade Search Head
-
Cleanup old folder and apps if upgrading from 2022 version
delete old deprecated visualization apps $SPLUNK_HOME\etc\apps\mcg_uxm_waterfall and $SPLUNK_HOME\etc\apps\mcg_uxm_worldmap. (is replaced with uxmapp_waterfall and uxmapp_worldmap)
rm -rf $SPLUNK_HOME/etc/apps/mcg_uxm_waterfall/ rm -rf $SPLUNK_HOME/etc/apps/mcg_uxm_worldmap/
-
Update with new apps
Goto Apps -> Manage Apps and upload the mcg_uxm_distributed_sh_onpremise_YYYY.MM.DD.tar.gz or uxmapp_sh_YYYY.MM.DD.tar.gz app file depending on app installed on you system.
Remember to click "Upgrade app checkbox" and click Upload, restart Splunk later when asked.
You can continue if error "Error connecting to /services/apps/local: The read operation timed out" occurs, normally app is uploaded and old app overridden successfully.
Upload new uxmapp_waterfall and uxmapp_worldmap visualization apps if newer versions are available and restart Splunk later.
-
Update permissions for uxm roles
For mcg_uxm_admin or uxmapp_admin role add uxmapp_view_* capabilities if needed, allows role to see menu for configuring uxm and inspecting/opening in search on tables/charts.
For mcg_uxm_user or uxmapp_user ensure the following capabilities are enabled:
change_own_password
edit_own_objects
export_results_is_visible
list_all_objects
pattern_detect
rest_properties_get
run_collect
run_mcollect
schedule_search
search
uxmapp_view_* capabilities if needed -
Clear Splunk JS/CSS caches
Open /en-US/_bump and click "Bump version" to clear JS/CSS caches.
-
Enable and delete old input scripts
Open Settings -> Data Inputs -> Scripts
Delete create_new_web_agents.py (if exists)
Delete task_tmp_fill_user_and_boottime.py (if exists, moved to update_kvstore.py)Enable input scripts
-
enable delete_old_files_and_packages.py (Deletes old unused app files and python dependencies, script will disable when done)
-
when upgrading to 2023.12.13: distributed_searchhead_23q4_migration.py (Migrates uxmap KVStore collections with new required entries, script will disable when done)
-
when upgrading to 2024.09.04: distributed_searchhead_24q1_migration.py (Assigns desktop profiles to SLA's and removes application processes with setup/tmp names, script will disable when done)
-
enable check_license.py
- enable update_applications.py
-
enable update_endpoint_groups.py
-
-
Update setup settings
Goto Apps -> Manage Apps and select "Set up" for mcg_uxm or uxmapp app to set up hostnames and encrypt passwords.
Enter HTTP Event collector hostname and token if empty.
Change retention period for endpoints if needed.
Goto license tab and apply the license supplied by your sales contact, license is required to save and use UXM.
Leave rest of values as default and press save.The page will redirect to the UXM Enterprise dashboard when done.
-
Update monitor settings
Open uxmapp and select Administration -> UXM Desktop agent -> Monitors
when upgrading to 2023.12.13: Edit Endpoint monitor and enable new event fields for newer agents (keep old monitor events for older agents) and press save.
-
Overridden dashboards and settings
UXM distributes it's dashboards and settings through uxmapp\default, all changes performed to dashboards and configs inside Splunk is stored under uxmapp\local.
Please ensure that there are no local dashboards overrides our default provided dashboard under $SPLUNK_HOME/etc/apps/mcg_uxm/local/data/ui/views or $SPLUNK_HOME/etc/apps/uxmapp/local/data/ui/views.
Please compare with the dashboards under $SPLUNK_HOME/etc/apps/uxmapp/default/data/ui/views to see if the changes are required and should be kept, restart the splunk server if any changes is made to the files.
Delete the local dashboards that shouldn't be there
-
Restart the Splunk Search Head.
Upgrade Heavy Forwarder
The UXM Splunk App can be downloaded from here: Download server software
Please note that customers using app mcg_uxm will need to download and upgrade with the mcg_uxm app package.
-
Upload new Heavy Forwarder app
Upload the mcg_uxm_distributed_hf_onpremise_YYYY.MM.DD.tar.gz under Apps -> Manage Apps, postpone restarting Splunk.
-
Clear Splunk JS/CSS caches
Open /en-US/_bump and click "Bump version" to clear JS/CSS caches.
-
Run setup in app to set hostnames and encrypt passwords
Open Manage Apps -> UXM -> Set up and enter the missing fields for KVStore hostname, HEC hostname and RabbitMQ hostname.
Ensure RabbitMQ user is new uxmapp or old mcg_uxm if RabbitMQ isn't upgraded.
Press Save in bottom, passwords will be encrypted using Splunk's key and UXM will redirect you to the Enterprise Dashboard.
-
Start Splunk processing scripts
Open Splunk and goto Settings -> Data Inputs -> Scripts and ensure that following scripts is enabled.
- enable delete_old_files_and_packages.py (Deletes old unused app files and python dependencies, script will disable when done)
- disable/enable task_mq_consumer_pcagent.py (Will be named consumer1 to consumer4)
- disable/enable task_mq_consumer_web.py (Will be named consumer1 to consumer4)
-
Restart the uWSGI service
Run an command prompt and restart wsgi to load the new code.
sudo systemctl restart wsgi-uxm.service
-
Test that endpoints works
Open https://localhost/data/browser in a browser and validate that the HF works and returns "no get/post data received"
-
Check for errors
Open the UXM app on the Heavy Forwarder, the default dashboard will show status on installation and report any errors detected.
PCAgent and Web consumer will show following info if everything works: