Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Manual upgrade of Enterprise Security

This topic describes how to upgrade the Splunk Enterprise Security Suite or the Splunk App for Enterprise Security to a newer version of the app.

Step 1. Backup existing Enterprise Security installation

To perform a manual upgrade of the Splunk App for Enterprise Security, first make a backup of the current Enterprise Security 2.x installation by copying the following directories to a backup location.

  • $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite
  • $SPLUNK_HOME/etc/apps/DA-*
  • $SPLUNK_HOME/etc/apps/SA-*
  • $SPLUNK_HOME/etc/apps/TA-*
  • $SPLUNK_HOME/etc/apps/Splunk_DA-*
  • $SPLUNK_HOME/etc/apps/Splunk_SA-*
  • $SPLUNK_HOME/etc/apps/Splunk_TA-*

Note: Users of the Splunk Enterprise Security Suite 1.1.x need to perform a clean install or upgrade to 2.2.x using an older installer. The current installer does not support upgrades from Splunk Enterprise Security Suite 1.1.x. Contact Splunk Support for more information.

Step 2. Extract new Enterprise Security version into workspace

The new instance of the Splunk App for Enterprise Security should be tested in a new $SPLUNK_HOME or on a new server. This will be the upgrade workspace.

Install the new Splunk App for Enterprise Security version into the upgrade workspace. For details on installation see "Install Enterprise Security" in this manual.

Step 3. Retrieve configurations and customizations from backup

We recommend that the administrator of the existing installation review their as-built documents and runbooks, review the contents of their $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/deployment-apps directories, and review the installation notes from the original Enterprise Security Suite install.

Preserve the list of generated lookup files from the current installation. This can be a long list. Many CSV files are generated and updated while Enterprise Security Suite is operating. Go through all "lookups" sub-directories of each Enterprise Security Suite (DA*, SA*, TA* and SplunkEnterpriseSecuritySuite) folder.

For each csv.default, backup its equivalent .csv if it exists.

These files have changed format since the previous release:

  • SA-ThreatIntelligence/lookups/ reviewstatuses.csv
  • SA-ThreatIntelligence/lookups/incident_review.csv
  • SA-ThreatIntelligence/default/savedsearches.conf

Note: The default savedsearches.conf file will be taken care of through the upgrade process. Attention is only required for local copies of savedsearches.conf.

Set aside the list and locations of these files for processing later.


The deployment-apps distributed with the Splunk App for Enterprise Security 3.0 should be used instead of the earlier Enterprise Security Suite deployment-apps.

The new deployment-apps folder is located in the SplunkEnterpriseSecurityInstaller/default/src/etc/deployment-apps after the Installer App has been run once. If the Install App has not been run, unzip it from SplunkEnterpriseSecurityInstaller/default/src/splunk_app_es-3.0.0-xxxxxx.zip. After the file has been unzipped the deployment-apps folder is located at SplunkEnterpriseSecurityInstaller/default/src/etc/deployment-apps.

Any customizations made to the old /deployment-apps have to be manually migrated to the new /deployment-apps. When the install is complete, ensure those changes are distributed to the Splunk infrastructure properly.

Review your existing installation of Enterprise Security for modifications and customizations to its scripts and dashboards. These modifications may not be required in the new versions and will each need to be reviewed for applicability.

Note: Splunk does not support modifying configuration files in the /default directories. Any changed default files will be overwritten as part of the upgrade, if the configuration directories are copied from the backup to the upgrade workspace. To save these changes, move them to /local directories.

Step 4. Move the upgrade workspace

In the production workspace:

1. Stop Splunk

  $SPLUNK_HOME/bin splunk stop

2. Delete these directories:

  • $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite
  • $SPLUNK_HOME/etc/apps/DA-*
  • $SPLUNK_HOME/etc/apps/SA-*
  • $SPLUNK_HOME/etc/apps/TA-*
  • $SPLUNK_HOME/etc/apps/Splunk_TA-* (if these exist)
  • $SPLUNK_HOME/etc/apps/Splunk_SA-* (if these exist)

3. Copy the relevant files from the upgrade workspace to the production workspace.

Step 5. Restart Splunk and verify upgrade

1. Restart Splunk:

$SPLUNK_HOME/bin ./splunk start

2. After Splunk restarts, go to Splunk Home (https://localhost:8000). Click the Enterprise Security app.

3. Click the Continue to app setup page link on the App configuration dialog.

Note: If the upgrade is performed, and the setup procedure is not run, Splunk may display errors on some dashboards.

4. Verify the settings on the Splunk App for Enterprise Security Setup page.

5. Click Save. The Enterprise Security configure page appears.

6. Verify the Enterprise Security install:

  • Look for errors in Audit
Navigate to Audit > View Audit.
  • Make sure data is still coming into the expected source types
Navigate to Audit > Incident Review Audit
  • Make sure notable events are still generating
Navigate to the Incident Review dashboard and run a search to see if events are being displayed

See "Installing Enterprise Security" and "Steps to configure" in this manual for more details on setting up the Splunk App for Enterprise Security for the first time.

Upgrade troubleshooting

Check the rest of the Splunk App for Enterprise Security documentation:


See "Troubleshoot your deployment" in this document.

Last modified on 26 March, 2014
Upgrade Splunk App for Enterprise Security to a newer version
File conversion example

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters