Installation

Initial Installation

Standalone Search Head

1. Install the provided .spl using the Web GUI or the CLI.
2. Configure Elasticsearch instances and queries using the provided dashboards

Search Head Cluster

1. Unpack the provided .spl to $SPLUNK_HOME/etc/shcluster/apps on the deployer
2. Deploy the app bundle to the search head cluster
3. Configure Elasticsearch instances and queries using one of the search head cluster members

Upgrade Paths

Upgrade from 1.1.X

ElasticSPL 1.2.0 introduces an update framework. For previous versions, the currently installed version has to be set as the latest version before installing the upgrade. This can be done either by an API call or manually using configuration files.

1. Configure the latest version

curl -k https://localhost:8089/servicesNS/nobody/SA-DP-elasticspl/configs/conf-migration -d "name=version_tracking" -d "elasticspl_last_version=1.1.6" -u admin:changeme

# or

echo -e "[version_tracking]\nelasticspl_last_version = 1.1.6" > $SPLUNK_HOME/etc/apps/SA-DP-elasticspl/local/migration.conf

2. Install the upgrade using the Web GUI or the CLI
3. Run the upgrade tasks to migrate the existing permissions to the new model. If you are not redirected to the upgrade tasks automatically, you can access them via opening the setup dashboard by navigating to app/SA-DP-elasticspl/setup.
4. Remove any references to the deprecated roles elastic_query_list elastic_query_run and from your existing roles and users
5. Replace any references to the deprecated role elastic_query_edit with the new role elastic_power

Upgrade from 1.0.X

Please follow the steps described in the Upgrade from 1.0.X section.