Installation Manual

 


Welcome to the Splunk Enterprise Installation Manual
Install a Splunk Enterprise license
Uninstall Splunk Enterprise

About Upgrading to 6.1 - READ THIS FIRST

About Upgrading to 6.1 - READ THIS FIRST

This topic contains important information and tips about upgrading to version 6.1 from an earlier version. Read it before attempting to upgrade your Splunk environment.

Important: Not all Splunk apps and add-ons are compatible with Splunk Enterprise 6.1. If you are considering an upgrade to this release, visit Splunk Apps to confirm that your apps are compatible with Splunk Enterprise 6.1.

Upgrade clustered environments

If you plan to upgrade a Splunk cluster, read "Upgrade your clustered deployment" in the Managing Indexers and Clusters Manual. The instructions in that topic supersede the upgrade material in this manual.

Important: All nodes of a clustered Splunk environment must run the same version of Splunk Enterprise. If you plan to upgrade your clustered environment, you must upgrade all nodes (including search heads, master nodes, and peer nodes) in the cluster at the same time.

Upgrade paths

Splunk Enterprise supports the following upgrade paths to Version 6.1 of the software:

  • From version 5.0 or later to 6.1 on full Splunk Enterprise.
  • From version 4.2 or later to 6.1 on Splunk universal forwarders.

If you run a version of Splunk Enterprise prior to 4.3, upgrade to 5.0 first, then upgrade to 6.1. Read "About upgrading to 5.0 - READ THIS FIRST" for tips on migrating your instance to version 5.0.

If you run version 4.3 of Splunk Enterprise, upgrade to 6.0 first before attempting an upgrade to 6.1. Read "About upgrading to 6.0 - READ THIS FIRST" for specifics.

You want to know this stuff

Upgrading to 6.1 from 5.0 and later is trivial, but here are a few things you should be aware of when installing the new version:

Make sure that the introspection directory has the correct permissions

If you run Splunk Enterprise on Linux as a non-root user, and use an RPM to upgrade, the RPM writes the $SPLUNK_HOME/var/log/introspection directory as root. This can cause errors when you attempt to start the instance later. To prevent this, chown the $SPLUNK_HOME/var/log/introspection directory to the user that Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.

The multi-tenant feature for deployment server has been removed

We have removed support for multi-tenant deployment server. When you upgrade, the deployment server clients in your environment will no longer update apps based on entries in tenants.conf.

Custom email alerts means major changes for alert_actions.conf

A reworked email alert interface allows you to create custom email alerts and provides you many new attributes that you can set. If you use email alerts, review alert-actions.conf on your systems after the upgrade to ensure that alerts continue to work the way you expect. Some of the changes include:

  • The default email results format has changed from HTML to a table.
  • Attempting to set the format attribute in alert-actions.conf to plain no longer has any effect. Instead, Splunk Enterprise uses table as a value.
  • By default, all results in an email are inline:
    inline = 1 in alert_actions.conf.
  • Splunk Enterprise does not support customization to the sendemail.py script. This python script is not public and can change in future releases without notice. Changes to this script in Splunk Enterprise 6.1 break any customization you may have made in a prior release.

Read more about custom email alerts in the Email notification topic in the Alerting Manual. To see the updated values, read the alert_actions.conf spec file.

Splunk Enterprise parses JSON files by using INDEXED_EXTRACTIONS by default

When you use Splunk Enterprise to import a JSON file, it attempts to parse the file using the default parsing values as though you set INDEXED_EXTRACTIONS=json in props.conf.

New attribute in limits.conf could increase memory usage

We introduced an attribute chunk_size which controls how many events Splunk Enterprise retrieves at once from a TSIDX file when it answers a query. The default value of 1000000 could result in increased overall memory usage and/or reduced performance. Changing the setting has impact on both memory usage and performance and is not recommended.

The default maximum database sizes for summary indexing has changed

We increased the default amount of disk space that a summary index database can take from 100 to 1000 megabytes. When you upgrade, the change occurs in indexes.conf. This can result in additional disk space usage throughout the course of Splunk Enterprise operation.

New internal index can increase disk space usage

Splunk Enterprise 6.1 includes a new internal index, _introspection. This can result in increased disk usage on the system that performs indexing. Ensure that you have disk space and memory available on your indexing systems before upgrading.

Windows-specific changes

The Windows universal forwarder can now be run in "low-privilege" mode

The Splunk universal forwarder on the Windows platform can be configured to run as a user that does not have administrative rights on the server. To learn more about low-privilege mode and its benefits and potential caveats, read "Deploy a Windows universal forwarder via the installer GUI" or "Deploy a Windows universal forwarder via the command line" in the Forwarding manual.

The Windows Event Log input has additional filtering capabilities

The Windows event log input gets two new improvements:

  • The input, which until now had its own input processor, is now modular. This helps increase its efficiency and removes the limit of 64 concurrent Event Log channels. Since the Windows Event Log input already uses inputs.conf, there should be no impact to your configuration by this change. However, we suggest that you review any .conf files post-upgrade as a precautionary measure.
  • Additionally, the input receives several new attributes which allow you to filter events based on Windows Event IDs or regular expression text. It also allows you to suppress event log text from an event.

There are also certain situations where, if you use a deployment server to control configurations, some versions of universal forwarder might collect duplicate events. See "Upgrade deployment servers and installed apps that use 6.x stanzas might generate duplicate events" for additional information.

Upgraded deployment servers and installed apps that use 6.0 stanzas might generate duplicate events

In order to maintain interoperability, Splunk does not remove an old-style Windows Event Log stanza during an upgrade to version 6. Instead, it notifies you that you need to remove them yourself manually.

This is particularly important for deployment servers or universal forwarders that host apps that use 6.0 style configuration file stanzas. When you upgrade, if you do not remove the old-style stanzas, Splunk might generate duplicate events.

No support for enabling Federal Information Processing Standards (FIPS) after an upgrade

There is no supported upgrade path from a Splunk Enterprise system with enabled Secure Sockets Layer (SSL) certificates to a system with FIPS enabled. If you need to enable FIPS, you must do so on a new installation.

This documentation applies to the following versions of Splunk: 6.1 , 6.1.1 , 6.1.2 , 6.1.3 , 6.1.4 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!