Roll back an artifact version

Roll back to a previous version of an artifact when the latest version causes issues for agent management. The gent management versioned app retrieval add-on retains the two most recent artifact versions for rollback purposes.

The agent management versioned app retrieval Add-on stores the two most recent artifact versions per configuration in the $SPLUNK_HOME/etc/apps/agent_management_versioned_app_retrieval/output/<stanza_name> directory. When a new version downloads, the add-on automatically removes the oldest version, retaining only two archives.

Use this procedure when a newly downloaded artifact version introduces issues on agents and a fixed version is not immediately available from the external repository. Rolling back restores the previous working version while you wait for a fix.

  1. Disable the agent management versioned app retrieval add-on to prevent it from downloading new versions during the rollback.

    Edit $SPLUNK_HOME/etc/apps/agent_management_versioned_app_retrieval/local/app.conf and add or modify the following:

    CODE 
    [install]
state = disabled
  2. Locate the two archived versions in $SPLUNK_HOME/etc/apps/agent_management_versioned_app_retrieval/output/<stanza_name>.
    Archive files are named with the hash value (checksum) of the artifact, for example, a3f5b8c9d2e1f4.tar.gz and b4g6c9d3f2e2g5.tar.gz. The file with the newer timestamp is the most recent version.
  3. Compare the contents of both archives to identify apps that exist in the newer version but not in the older version.

    Extract both archives to temporary directories:

    CODE 
    mkdir /tmp/archive_old /tmp/archive_new
tar -xzf $SPLUNK_HOME/etc/apps/agent_management_versioned_app_retrieval/output/<stanza_name>/<old_hash>.tar.gz -C /tmp/archive_old
tar -xzf $SPLUNK_HOME/etc/apps/agent_management_versioned_app_retrieval/output/<stanza_name>/<new_hash>.tar.gz -C /tmp/archive_new

    Compare the app folders:

    CODE 
    diff -r /tmp/archive_old /tmp/archive_new

    If the newer version contains apps that don't exist in the older version, remove those apps from the extract_path to prevent orphaned apps.

  4. Copy all apps from the older archive to the extract_path, overwriting any existing versions.
    CODE 
    cp -r /tmp/archive_old/<archive_folder>/* $SPLUNK_HOME/etc/deployment-apps/

    Replace <archive_folder> with the actual folder name from the archive structure.

  5. Remove the problematic newest archive version from $SPLUNK_HOME/etc/apps/agent_management_versioned_app_retrieval/output/<stanza_name>.
    This prevents the add-on from re-extracting the problematic version after restart.
  6. Restart Splunk to apply the changes.

    On *nix systems:

    CODE 
    $SPLUNK_HOME/bin/splunk restart

    On Windows systems:

    CODE 
    %SPLUNK_HOME%\bin\splunk.exe restart
  7. After a fixed version is available in the external repository, re-enable the add-on by editing $SPLUNK_HOME/etc/apps/agent_management_versioned_app_retrieval/local/app.conf and setting state = enabled.

    Restart Splunk to apply the change. The add-on will resume checking for and downloading new artifact versions.

The artifact has been rolled back to the previous version. The older version is now deployed and available to agent management for distribution to agents.

For monitoring the add-on after re-enabling, see Log files for agent management versioned app retrieval add-on .