Splunk® Enterprise Security

Installation and Upgrade Manual

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Plan the upgrade

This topic covers key considerations planning the Splunk App for Enterprise Security upgrade.

Order of operations

  1. Review this topic for changes required to support the latest release
  2. Upgrade Splunk Enterprise
  3. Upgrade the Enterprise Security app
  4. Review, upgrade, and deploy add-ons

Splunk Enterprise requirements

The Splunk App for Enterprise Security 3.3.3 requires Splunk Enterprise version 6.3.0 or 6.4.0 and a 64-bit OS install on all search heads and indexers.

To plan the upgrade of the Splunk Enterprise environment, see Upgrade your distributed Splunk Enterprise environment in the Splunk Enterprise Installation Manual.

Hardware requirements

The reference hardware for Splunk Enterprise and the Splunk App for Enterprise Security have changed. See the topic "Splunk Enterprise system requirements" in this manual.

Installation prerequisites

The Splunk App for Enterprise Security 3.0 and later does not require the Sideview Utils app to be installed. Sideview Utils does not conflict with Enterprise Security, and you can retain it for legacy dashboards or other uses.

Review the Known Issues

For the latest details about known issues found in this release, see "Known Issues" in the Splunk App for Enterprise Security Release Notes Manual.

Enterprise Security Install App

The Enterprise Security Install App performs an upgrade only on an installation of Enterprise Security 2.4 or greater. The Install App does not support upgrades from Splunk Enterprise Security Suite 1.1.x.

The Enterprise Security Install App disables any prior version and displays a review of all changes before performing the upgrade. It also migrates custom searches, temporarily disables all correlation searches, changes the lookup files to new formats, and disables searches that have a naming conflict with Enterprise Security. The Enterprise Security Install App can print a report of all changes to be made before performing the upgrade. Printing the report is recommended.

Search head pooling considerations

In a environment with search head pooling, you must follow a specific order of operations for upgrading any app. See "Upgrade a distributed environment with pooled search heads" in the Splunk Enterprise Distributed Deployment Manual.

Search head clustering considerations

Upgrading the Enterprise Security app deployed on a search head cluster is a multi-step process. To review the recommended procedure, see the topic "Upgrading ES on a search head cluster" in this manual.

Deployment-apps

A copy of the latest add-ons (TA) are included with the Splunk App for Enterprise Security. When upgrading to the latest Enterprise Security app, the deployment-apps included with the Enterprise Security Install App should be used. The Enterprise Security Install App does not automatically upgrade or migrate any deployment-apps configurations. Use the Splunk Enterprise deployment server or other configuration management service to deploy the add-ons to the indexers and forwarders as required.

  • After the upgrade has been run, the deployment-apps package is extracted into SplunkEnterpriseSecurityInstaller/default/src/etc/deployment-apps.
  • The deployment-apps package can also be extracted directly from the Enterprise Security Install App in the file SplunkEnterpriseSecurityInstaller/default/src/splunk_app_es-3.x.x-xxxxxx.zip

Important Any customizations made to the prior versions of deployment-apps must be manually migrated.

Changes to add-ons

For a list of add-ons included with this release of the Enterprise Security app, see "Add-ons provided with Enterprise Security" in this manual.

PREVIOUS
Security Domains
  NEXT
Upgrade Splunk App for Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 3.3.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters