Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

Splunk Enterprise Security (ES) versions 6.0.0, 6.0.1, and 6.3.0 are no longer available for download from Splunkbase as of April 15, 2021. Please upgrade to the latest version of Splunk Enterprise Security to avoid any potential issues with Assets and Identity management.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Upgrade Splunk Enterprise Security in a search head cluster environment

Splunk Enterprise Security supports installation on Linux-based search head clusters (SHC) only. At this time, Windows search head clusters are not supported by Splunk Enterprise Security.

Upgrading Enterprise Security in a search head cluster environment

The installer dynamically detects if you're upgrading in a single search head environment or search head cluster environment. The installer is also bigger than the default upload limit for Splunk Web.

To upgrade Enterprise Security on a search head cluster deployer:

  1. Prepare the deployer. See Prerequisites for installing Enterprise Security in a search head cluster environment.
  2. Verify that you have the same version of Enterprise Security on the deployer and SHC nodes.
  3. Increase the Splunk Web upload limit to 1GB by creating a file called $SPLUNK_HOME/etc/system/local/web.conf with the following stanza.
    [settings]
    max_upload_size = 1024
  4. To restart Splunk from the Splunk toolbar, select Settings > Server controls and click Restart Splunk.
  5. Install Enterprise Security on the deployer (this method is via the UI).
    1. On the Splunk toolbar, select Apps > Manage Apps and click Install App from File.
    2. Click Choose File and select the Splunk Enterprise Security product file.
    3. Check the checkbox for Upgrade App.
    4. Click Upload.
  6. Click Restart Now.
  7. Click the Enterprise Security app.
  8. Click Continue to app setup page.

    Note the message that Enterprise Security is being installed on the deployer of a search head cluster environment and that technology add-ons will not be installed as part of the post-install configuration.

  9. Click Start Configuration Process.

Deploy the changes to the cluster members

As of 7.3.0, Splunk Enterprise has four deployer modes for pushing application configuration changes to search head cluster members.

The previous behavior for pushing the app bundle from the deployer to the members was to merge the $SPLUNK_HOME/shcluster/apps/<appname>/default and $SPLUNK_HOME/shcluster/apps/<appname>/local folders of the deployer to overwrite the $SPLUNK_HOME/etc/apps/<appname>/default folder of each SHC member.

Although that merge behavior is still available as one of the configuration options, the default behavior is to duplicate $SPLUNK_HOME/shcluster/apps/<appname>/default along with $SPLUNK_HOME/shcluster/apps/<appname>/local on the SHC members. See the "Mode_merge_to_default" section of the Choose a deployer push mode in the Splunk Enterprise Distributed Search Manual.

In addition, lookups were previously preserved for all apps or for no apps. As of Splunk Enterprise 7.3.0, you're able to select the specific apps where you want to preserve lookups. See Preserve lookup files across app upgrades in the Splunk Enterprise Distributed Search Manual.

Splunk Enterprise 7.3.0 is not a requirement for upgrading, but you need Splunk Enterprise 7.3.0 if you want to take advantage of the deployer modes and the per-app lookup preservation.

To deploy the app to cluster members for Splunk Enterprise Security 6.0:

  1. Set the deployer push mode to full. See Mode: full in the Splunk Enterprise Distributed Search Manual.
  2. Use the deployer to deploy Enterprise Security to the cluster members. From the deployer, run this command:
    splunk apply shcluster-bundle
  3. (Optional) On the deployer, deploy Enterprise Security with -preserve-lookups true to retain lookup file content generated on the search head cluster members.

Validate the configuration on the search cluster

After you distribute the copy of Enterprise Security on the deployer to the search head cluster members, use the ES Configuration Health dashboard to compare the cluster-replicated knowledge objects to the latest installation of Enterprise Security.

  1. Log in to Splunk Web on a search head cluster member.
  2. Open Enterprise Security.
  3. From the Enterprise Security menu bar, select Audit > ES Configuration Health.
  4. Review potential conflicts and changes to the default settings.

See ES Configuration Health in Use Splunk Enterprise Security.

Last modified on 07 February, 2020
Upgrade Splunk Enterprise Security  

This documentation applies to the following versions of Splunk® Enterprise Security: 6.0.1, 6.0.2, 6.1.0, 6.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters