Splunk® Enterprise

Installation Manual

How to upgrade Splunk Enterprise

The process of upgrading a single Splunk Enterprise instance is straightforward. In many cases, you upgrade the software by installing the latest Splunk Enterprise package over your existing installation. When you upgrade on Windows systems, the installer package detects the version that you have previously installed and offers to upgrade it for you.

The process of upgrading a distributed or clustered Splunk Enterprise deployment differs based on the type of deployment, and whether or not the instance hosts various Splunk apps and add-ons.

If the Splunk Enterprise instance or deployment that you want to upgrade has one or more premium Splunk apps installed, such as Splunk IT Service Intelligence or Splunk Enterprise Security, you need to plan your upgrade sequence and target version levels to maintain version compatibility with the premium apps. The Splunk products version compatibility matrix shows which specific versions of Splunk Enterprise are compatible and supported with premium Splunk apps.

Regardless of deployment type, you must upgrade Splunk Enterprise using an operating system account with sufficient privileges to satisfy the following requirements:

  • The account has administrative privileges on the machine where you perform the upgrade
  • The account can write to the instance directory and all of its subdirectories.

This topic provides specific information for upgrading to version 9.3 from a previous version. If you do not want to upgrade to version 9.3, use the Version drop-down list to choose the release version that you want.

Always use the upgrade instructions for the version to which you want to upgrade. Earlier or later versions of upgrade instructions can present information that appears to conflict with information for your target version.

Upgrade information for version 9.3

Read on to learn the information you need to upgrade your deployment of Splunk Enterprise, including the available upgrade paths, information that might affect you when you upgrade, and links to information on features and release notes.

Upgrade paths to version 9.3

The following table describes the upgrade paths that are available from previous versions of Splunk Enterprise.

Find the version you currently use in the first column and read across to determine the upgrade path for that version. If your version does not appear in the first column, then there is no supported upgrade path to the latest version. You must first upgrade to a version that is in this list.

After selecting a hyperlink in the following table, choose your specific product version from the Version drop-down list.

Your current version First upgrade to latest available version of Then upgrade to latest available version of README link Rel. Notes link
9.0.x 9.1.x or 9.2.x 9.3.x README Rel. Notes
9.1.x 9.2.x or 9.3.x 9.3.x or n/a README Rel. Notes
9.2.x 9.3.x n/a README Rel. Notes

Splunk Enterprise upgrade process

The upgrade process for Splunk Enterprise consists of three phases:

  • Phase 1: Identify, back up, and verify that components work as you expect
  • Phase 2: Install updated Splunk Enterprise components
  • Phase 3: Confirm everything works after the upgrade

This process applies to upgrades of all Splunk Enterprise deployments. Depending on the kind of deployment you have, some steps might differ from what this page shows.

Phase 1: Identify, back up, and verify that components work as you expect

Use the following steps to prepare a Splunk Enterprise upgrade. Specific steps might differ based on the size and kind of deployment and whether or not your deployment runs a premium Splunk app.

  1. Identify all of the components in your deployment. This determines the upgrade procedures that you must follow during the upgrade phase:
    • Identify all single-instance components.
    • Identify all distributed components that are not in a cluster.
    • Identify all clustered components.
  2. Back up your existing deployment, including configurations, data, and the KV store. For more information about backing up your Splunk Enterprise deployment, see Back up configuration information in the Admin Manual and Back up indexed data in the Managing Indexers and Clusters of Indexers manual. For information about backing up your KV store, see Back up and restore KV store in the Admin Manual.
  3. Validate your backups and confirm that they can be restored.
  4. Where applicable, use the Monitoring Console to take a snapshot of the health of your existing Splunk Enterprise deployment.
  5. If you run a clustered Splunk Enterprise environment, use the Monitoring Console to confirm that the cluster is healthy.
  6. If you run a Splunk Enterprise license manager instance, confirm that it is healthy, that all indexers successfully connect to it, and that all license keys either are available for entry or exist on backup media.
  7. If you run a deployer on a search head cluster, confirm that it is healthy and can push configuration bundles to all SHC peers without problems.
  8. If you run a deployment server machine, confirm that it is healthy, that configurations reload successfully, and that all forwarders can connect to it.
  9. Review the forwarder-indexer compatibility matrix in Compatibility between forwarders and indexers in Splunk Products Version Compatibility Matrix to confirm that all forwarders in your deployment work with the version of indexer to which you plan to upgrade. Older versions of forwarder might not be compatible due to various security cipher changes.
  10. For distributed deployments of any kind, confirm that all machines in the indexing tier satisfy the following conditions:
    • They have sufficient disk space available for installation of the updated software
    • They run basic searches without problems
    • They do not run their own saved searches
  11. On distributed deployments of any kind, confirm that all machines in the search tier satisfy the following conditions:
    • The version of Splunk Enterprise that you want to upgrade can run your apps, add-ons, and dashboards
    • You have all security keys, configurations, and credentials available for possible reentry
    • Searches do not fail because of incorrect authentication credentials

Phase 2: Install updated Splunk Enterprise components

After you complete the pre-upgrade steps in Phase 1, you can begin upgrading individual Splunk Enterprise components. Depending on your deployment type, you might need to perform additional steps.

  1. Read About upgrading to 9.3: READ THIS FIRST completely prior to starting an upgrade.
  2. If you run premium Splunk apps, see the Splunk Products version compatibility matrix to determine the versions that your apps support.
  3. Upgrade the Splunk Enterprise components in your deployment, based on the deployment architecture you identified in Phase 1:
  4. During the upgrade, depending on the component that you upgrade, you might need to perform validation steps to ensure the upgrade is successful.
    • On a cluster manager node, you might need to run validation searches or use operating system tools to determine cluster manager health and readiness before you proceed to the next upgrade phase.
    • On forwarders, you can use Monitoring Console to determine that data ingestion levels remain at pre-upgrade rates as forwarders come back online.
    • On standalone indexers, you can run searches to determine that data ingestion and search participation occur normally.
    • On clustered indexers, you can use Monitoring Console to determine that indexers come back online and appear as normal in the Clustering Status page.

Phase 3: Verify everything works after the upgrade

After you complete the upgrade of Splunk Enterprise components, follow these high-level steps to confirm that your upgrade was successful. As with the other phases, specific steps might differ based on the number and kind of Splunk Enterprise components that you have in your deployment.

  1. Confirm that your Splunk apps and add-ons work like they did before the upgrade.
  2. If you have a distributed deployment, use Monitoring Console to verify all Splunk Enterprise components.
    • Review resource utilization for all components and compare to what you benchmarked prior to the upgrade.
    • Confirm all components are available.
  3. If you have a distributed deployment, confirm that the license manager machine works properly and all indexers connect to it, like they did before the upgrade.
  4. If you have a clustered deployment, confirm that the cluster manager operates normally and that cluster peers are connecting properly.
  5. If you have a distributed deployment, confirm that the search tier operates normally and that search and indexers communicate without problems
  6. If you have a search head cluster, use the Monitoring Console to verify search head cluster state and individual cluster peer nodes.
  7. If you have an indexer cluster, confirm that all indexer cluster nodes reestablish communications with the cluster manager.

Optional upgrade activities

The following section describes optional steps that you can perform after an upgrade.

Review and configure the tsidxWritingLevel

Splunk Enterprise 7.2 introduced a new file format and optimizations for tsidx files that resulted in improved search performance through decreased I/O, lowered storage usage, and improved utilization of SmartStore caches. These optimizations are encapsulated in levels, with new levels added in higher releases of Splunk Enterprise. Changing the default tsidxWritingLevel changes the optimizations used by both the index tsidx files and data model accelerations.

To determine whether the tsidx level available has changed since your last upgrade, and what value to set the tsidxWritingLevel to, see The tsidx writing level in the Managing Indexers and Clusters of Indexers manual.

Last modified on 27 November, 2024
Install a license   About upgrading to 9.3 READ THIS FIRST

This documentation applies to the following versions of Splunk® Enterprise: 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters