About Upgrading to 6.1 - READ THIS FIRST
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
- Make sure that the introspection directory has the correct permissions
- The multi-tenant feature for deployment server has been removed
- Custom email alerts means major changes for alert_actions.conf
- Splunk Enterprise parses JSON files by using INDEXED_EXTRACTIONS by default
- Splunk Enterprise does not parse structured data that has been forwarded to an indexer
- New and updated attributes in limits.conf could increase disk and memory usage
- The default maximum database sizes for summary indexing has changed
- New internal index can increase disk space usage
- The Windows universal forwarder can now be run in "low-privilege" mode
- The Windows Event Log input has additional filtering capabilities
- Upgraded deployment servers and installed apps that use 6.0 stanzas might generate duplicate events
- No support for enabling Federal Information Processing Standards (FIPS) after an upgrade
About Upgrading to 6.1 - READ THIS FIRST
This topic contains important information and tips about upgrading to version 6.1 from an earlier version. Read it before attempting to upgrade your Splunk environment.
Important: Not all Splunk apps and add-ons are compatible with Splunk Enterprise 6.1. If you are considering an upgrade to this release, visit Splunk Apps to confirm that your apps are compatible with Splunk Enterprise 6.1.
Upgrade clustered environments
If you plan to upgrade a Splunk cluster, read "Upgrade your clustered deployment" in the Managing Indexers and Clusters Manual. The instructions in that topic supersede the upgrade material in this manual.
Important: All nodes of a clustered Splunk environment must run the same version of Splunk Enterprise. If you plan to upgrade your clustered environment, you must upgrade all nodes (including search heads, master nodes, and peer nodes) in the cluster at the same time.
Splunk Enterprise supports the following upgrade paths to Version 6.1 of the software:
- From version 5.0 or later to 6.1 on full Splunk Enterprise.
- From version 4.2 or later to 6.1 on Splunk universal forwarders.
If you run a version of Splunk Enterprise prior to 4.3, upgrade to 5.0 first, then upgrade to 6.1. Read "About upgrading to 5.0 - READ THIS FIRST" for tips on migrating your instance to version 5.0.
If you run version 4.3 of Splunk Enterprise, upgrade to 6.0 first before attempting an upgrade to 6.1. Read "About upgrading to 6.0 - READ THIS FIRST" for specifics.
You want to know this stuff
Upgrading to 6.1 from 5.0 and later is trivial, but here are a few things you should be aware of when installing the new version:
Make sure that the introspection directory has the correct permissions
If you run Splunk Enterprise on Linux as a non-root user, and use an RPM to upgrade, the RPM writes the
$SPLUNK_HOME/var/log/introspection directory as root. This can cause errors when you attempt to start the instance later. To prevent this,
$SPLUNK_HOME/var/log/introspection directory to the user that Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.
The multi-tenant feature for deployment server has been removed
We have removed support for multi-tenant deployment server. When you upgrade, the deployment server clients in your environment will no longer update apps based on entries in tenants.conf.
Custom email alerts means major changes for alert_actions.conf
A reworked email alert interface allows you to create custom email alerts and provides you many new attributes that you can set. If you use email alerts, review alert-actions.conf on your systems after the upgrade to ensure that alerts continue to work the way you expect. Some of the changes include:
- The default email results format has changed from HTML to a table.
- Attempting to set the
formatattribute in alert-actions.conf to
plainno longer has any effect. Instead, Splunk Enterprise uses
tableas a value.
- By default, all results in an email are inline:
inline = 1in alert_actions.conf.
- Splunk Enterprise does not support customization to the
sendemail.pyscript. This python script is not public and can change in future releases without notice. Changes to this script in Splunk Enterprise 6.1 break any customization you may have made in a prior release.
Splunk Enterprise parses JSON files by using INDEXED_EXTRACTIONS by default
When you use Splunk Enterprise to import a JSON file, it attempts to parse the file using the default parsing values as though you set
INDEXED_EXTRACTIONS=json in props.conf.
Splunk Enterprise does not parse structured data that has been forwarded to an indexer
When you forward structured data to an indexer, Splunk Enterprise does not parse this data once it arrives at the indexer, even if you have configured
props.conf on that indexer with
INDEXED_EXTRACTIONS. Forwarded data skips the following queues on the indexer, which precludes any parsing of that data on the indexer:
The forwarded data must arrive at the indexer already parsed. To achieve this, you must also set up
props.conf on the forwarder that sends the data. This includes configuration of
INDEXED_EXTRACTIONS and any other parsing, filtering, anonymizing, and routing rules. Universal forwarders are capable of performing these tasks solely for structured data. See "Forward data extracted from header files".
New and updated attributes in limits.conf could increase disk and memory usage
We introduced and updated the behavior of some attributes in limits.conf:
chunk_sizeattribute controls how many events Splunk Enterprise retrieves at once from a TSIDX file when it answers a query. The default value of 1000000 could result in increased overall memory usage and/or reduced performance. Changing the setting has impact on both memory usage and performance and is not recommended.
file_tracking_db_threshold_mbattribute controls the size limit of the file tracking database - known as the fishbucket. When the database reaches the size specified by this attribute, Splunk Enterprise stops writing to that database and starts writing to a new database. When you upgrade, if this attribute does not exist in your environment, Splunk Enterprise determines the value for
indexes.confand assigns this attribute that value in
$SPLUNK_HOME/etc/system/local/limits.conf. This might increase the amount of disk space that the fishbucket uses at any given time.
The default maximum database sizes for summary indexing has changed
We increased the default amount of disk space that a summary index database can take from 100 to 1000 megabytes. When you upgrade, the change occurs in
indexes.conf. This can result in additional disk space usage throughout the course of Splunk Enterprise operation.
New internal index can increase disk space usage
Splunk Enterprise 6.1 includes a new internal index,
_introspection. This can result in increased disk usage on the system that performs indexing. Ensure that you have disk space and memory available on your indexing systems before upgrading.
The Windows universal forwarder can now be run in "low-privilege" mode
The Splunk universal forwarder on the Windows platform can be configured to run as a user that does not have administrative rights on the server. To learn more about low-privilege mode and its benefits and potential caveats, read "Deploy a Windows universal forwarder via the installer GUI" or "Deploy a Windows universal forwarder via the command line" in the Forwarding manual.
The Windows Event Log input has additional filtering capabilities
The Windows event log input gets two new improvements:
- The input, which until now had its own input processor, is now modular. This helps increase its efficiency and removes the limit of 64 concurrent Event Log channels. Since the Windows Event Log input already uses inputs.conf, there should be no impact to your configuration by this change. However, we suggest that you review any .conf files post-upgrade as a precautionary measure.
- Additionally, the input receives several new attributes which allow you to filter events based on Windows Event IDs or regular expression text. It also allows you to suppress event log text from an event.
There are also certain situations where, if you use a deployment server to control configurations, some versions of universal forwarder might collect duplicate events. See "Upgrade deployment servers and installed apps that use 6.x stanzas might generate duplicate events" for additional information.
Upgraded deployment servers and installed apps that use 6.0 stanzas might generate duplicate events
In order to maintain interoperability, Splunk does not remove an old-style Windows Event Log stanza during an upgrade to version 6. Instead, it notifies you that you need to remove them yourself manually.
This is particularly important for deployment servers or universal forwarders that host apps that use 6.0 style configuration file stanzas. When you upgrade, if you do not remove the old-style stanzas, Splunk might generate duplicate events.
No support for enabling Federal Information Processing Standards (FIPS) after an upgrade
There is no supported upgrade path from a Splunk Enterprise system with enabled Secure Sockets Layer (SSL) certificates to a system with FIPS enabled. If you need to enable FIPS, you must do so on a new installation.