Recap: You are a customer with up to date Sideview Support – either on a full version or a trial version.  You are here to either a) update your production build to the latest maintenance release. b) upgrade from the trial version to the full version, or c) update your trial version with a newer trial version.   Also, you’ve also reviewed the Release Notes,  Admin Manual, made backups, etc….

In all cases it’s recommended to update the apps with the license update, and since that process is simple and fast we recommend following all steps below.  Of course, if you JUST updated the app and now just need a license update, feel free to skip right to section two to do that.

---

1) Updating the apps

Version 5.0 and newer are all now hosted directly on Splunkbase.  This means you can use any of several methods to update that Splunk has “Built in”.  We’ll outline a recommended way below, but know that there are other ways to do this.  The key being that it’s just a “regular Splunk app update” now and the only different thing from most apps is you need to have your license key handy.

Also note – you can move directly from 4.x to 5.x using any of these methods too – just be sure to have your license key at the ready!

1. If you are upgrading from our app version 4.x, then find your new license key.  Most of you already on 5.x should be fine.
   • This should be in an email from us and is clearly marked.
2. Log into the Splunk UI as an admin user.
3. Click the splunk>enterprise logo in the upper left.  (Note in Splunk 6.x, it is just “splunk>”.  Look for it in the upper left.)
   
4. Click the gear icon next to Apps
   
5. In the resulting list, filter for sideview, you should end up with 3 or more apps.
   • You can also simply look down the list and find them that way, too.
6. If there are updates waiting, it’ll be pretty obvious.
   
   • It is also possible update checking is turned off, or that your Splunk server isn’t allowed to talk to the internet.  If this is the case, please download them from Splunkbase as if it’s a new installation.
7. If you don’t have any updates waiting, you are done!  Congratulations!
8. If Canary has an update waiting:
   1. Click the Update to XXX link beside Canary
   2. Check the box saying you have read and understand the license agreement.
   3. Click Accept and continue
   4. Log into Splunkbase (it’s your Splunk.com username and password), click Login and continue
   5. Wait while it installs.
   6. If it asks you to restart Splunk, you can safely click Restart later because we’ll have to do it after the next steps anyway.
      For Splunk 8, if you do not have Canary installed please follow the installation section for it in our docs!  (Also optional but recommended for Splunk 7)
      
9. If Sideview Utils has an update waiting:
   1. Click the Update to XXX link beside Sideview Utils
   2. Check the box saying you have read and understand the license agreement.
   3. Click Accept and continue
   4. Log into Splunkbase (it’s your Splunk.com username and password), click Login and continue
   5. Wait while it installs.
   6. If it asks you to restart Splunk, you can safely click Restart later because we’ll have to do it after the next steps anyway.
10. If the Cisco CDR Reporting and Analytics app has an update waiting, perform that too:
    1. Click the Update to XXX link beside Cisco CDR Reporting and Analytics
    2. Check the box saying you have read and understand the license agreement.
    3. Click Accept and continue
    4. Log into Splunkbase (it’s your Splunk.com username and password), click Login and continue
    5. Wait while it installs.
    6. Click Restart Now when finished.
11. Open the app, and click the Home button.  If it tells you that you have to update your license, follow the steps below.

---

2) Updating the license (if needed)

Trial Version to Full Version, Extending your Trial, or Renewing Full Version

The directions to update your license is greatly simplified since version 5.0.    If you are still on a version before 5.0, please update your app to the latest (the directions above) then come back here.

1. Find your new license key
   • This should be in an email from us and is clearly marked.
2. Log into the Splunk UI as an admin user.
3. Open the Cisco CDR Reporting and Analytics app.
4. Click Setup, then Update license.
   
5. Paste in your new license key, then click the Replace License button.
   
6. After updating, you’ll see license information including company and expiration date.

An alternative if you don’t have UI access (or are already sitting in an ssh session with the server) –

1. Find and edit your $SPLUNK_HOME/etc/apps/cisco_cdr/local/sideview_license.conf file
   • Create it if it doesn’t exist (note permissions!)
2. Add the license key to the stanza [cisco_cdr], like
   • [cisco_cdr]
     license = blahblahblah
3. Save and close and all that.

---

3) Updating forwarders, if any

There are a couple of sections here, depending on what version of forwarder you have installed.

First, a word for more experienced Splunk Admins

The TA_cisco_cdr, as found on Splunkbase, is just a Splunk app like any other.  If you already know how to deploy an app in your environment and onto the system that needs this app, then use that method.  (Puppet, Splunk Deployment Server, manual process but at least we *have* a process, etc…)

Do keep in mind that you don’t want overwrite your inputs.conf!  If you followed our installation instructions, they have you edit a TA_cisco_cdr/local/inputs.conf file.  If you did this your input file is fine and will not be overwritten.  If you edited the TA_cisco_cdr/default/inputs.conf file instead, you should first migrate those settings to the local version of the file.

As a final note for those of you who know what you are doing, if your company/Splunk admins already have a convention for deploying inputs (like creating/using an app just for the inputs for this like “TA_cisco_cdr_inputs”), then please work with them to use that convention – we heartily approve of these sorts of standards!

Heavy Forwarders

This was only ever the recommended way to handle the inputs if you already had an HF deployed for some other reason and were going to reuse it for the Cisco CDR inputs as well.

If you do have an HF doing your inputs, then one possibility would be to install/update the TA by using the “Manage Apps” method we outline above for updating the app as a whole.  Just log into the web interface on the HF, go to Manage Apps and click the update buttons.

If this process fails, if the web interface for Splunk is disabled, or if you just want to stay consistent you could also treat it exactly like it’s a Universal Forwarder (below).

Universal Forwarders (and everyone else)

The TA has been repackaged and you can now download it directly from Splunkbase.  Either use the link provided, or open Splunkbase and search for it by searching for “sideview ta”. In either case, locate it on Splunkbase and click the “Download” button.

• Save the file onto your local system.
• Use Gunzip and tar, or an application like Winzip, to uncompress the .tgz file.
  • With 7-zip on Windows …
    • Right-click on the file, select 7-zip -> Open Archive”
    • Drill down until you see a folder called “TA_cisco_cdr”
    • Drag/Extract that folder to a temporary location on your system.
  • With gunzip or tar, we’re not giving any hints unless you ask specifically.  We figure you wouldn’t be using those utilities unless you knew how to use them. 🙂

Deploy this TA app out to all Universal Forwarder (or Heavy Forwarder)  instances which are involved indexing the CDR data.  WARNING – Be sure to not overwrite your specific inputs.conf file! Your specific inputs and configurations *should* be stored in a directory “TA_cisco_cdr/local/” and if it is we won’t overwrite those.  But better to check than to have to restore configurations later!  NOTE: At the simplest level, deploying the app means copying the TA_cisco_cdr directory into $SPLUNK_HOME/etc/apps/ on these hosts and restarting the Splunk instance there.

If you want to broaden your Splunk horizons you can also use Splunk’s Deployment Server

Troubleshooting

Not that we expect problems, but Splunk is a complex system and all sorts of interesting things can go wrong.

The majority of the time there’s anything wrong it’s just that your browser is caching things it shouldn’t and using old copies of updated files.  Please try clearing your browser cache (instructions vary based on your browser – Google is your friend) and check again.  Also, try to reproduce the problem in Incognito mode or a new Private Window, depending on your browser.  If that doesn’t resolve your problems, please contact us for help or email support@sideviewapps.com!

The other issue we find is that after updating both apps, you may get a screen telling you “Page not found”.

This is a bug in Splunk that we’re currently helping them to chase down, it’s not serious and is only some misdirection on the part of the update page.  Just click the “here” in the middle and everything will be fine!

If you have any comments at all about the documentation, please send it in to docs@sideviewapps.com.