Plan the upgrade
This topic covers key considerations planning the Splunk App for Enterprise Security upgrade.
Order of operations
- Review this topic for changes required to support the latest release
- Upgrade Splunk Enterprise
- Upgrade the Enterprise Security app
- Review, upgrade, and deploy add-ons
Splunk Enterprise requirements
The Splunk App for Enterprise Security 3.3.3 requires Splunk Enterprise version 6.3.0 or 6.4.0 and a 64-bit OS install on all search heads and indexers.
To plan the upgrade of the Splunk Enterprise environment, see Upgrade your distributed Splunk Enterprise environment in the Splunk Enterprise Installation Manual.
Hardware requirements
The reference hardware for Splunk Enterprise and the Splunk App for Enterprise Security have changed. See the topic "Splunk Enterprise system requirements" in this manual.
Installation prerequisites
The Splunk App for Enterprise Security 3.0 and later does not require the Sideview Utils app to be installed. Sideview Utils does not conflict with Enterprise Security, and you can retain it for legacy dashboards or other uses.
Review the Known Issues
For the latest details about known issues found in this release, see "Known Issues" in the Splunk App for Enterprise Security Release Notes Manual.
Enterprise Security Install App
The Enterprise Security Install App performs an upgrade only on an installation of Enterprise Security 2.4 or greater. The Install App does not support upgrades from Splunk Enterprise Security Suite 1.1.x.
The Enterprise Security Install App disables any prior version and displays a review of all changes before performing the upgrade. It also migrates custom searches, temporarily disables all correlation searches, changes the lookup files to new formats, and disables searches that have a naming conflict with Enterprise Security. The Enterprise Security Install App can print a report of all changes to be made before performing the upgrade. Printing the report is recommended.
Search head pooling considerations
In a environment with search head pooling, you must follow a specific order of operations for upgrading any app. See "Upgrade a distributed environment with pooled search heads" in the Splunk Enterprise Distributed Deployment Manual.
Search head clustering considerations
Upgrading the Enterprise Security app deployed on a search head cluster is a multi-step process. To review the recommended procedure, see the topic "Upgrading ES on a search head cluster" in this manual.
Deployment-apps
A copy of the latest add-ons (TA) are included with the Splunk App for Enterprise Security. When upgrading to the latest Enterprise Security app, the deployment-apps included with the Enterprise Security Install App should be used. The Enterprise Security Install App does not automatically upgrade or migrate any deployment-apps
configurations. Use the Splunk Enterprise deployment server or other configuration management service to deploy the add-ons to the indexers and forwarders as required.
- After the upgrade has been run, the
deployment-apps
package is extracted intoSplunkEnterpriseSecurityInstaller/default/src/etc/deployment-apps
.
- The
deployment-apps
package can also be extracted directly from the Enterprise Security Install App in the fileSplunkEnterpriseSecurityInstaller/default/src/splunk_app_es-3.x.x-xxxxxx.zip
Important Any customizations made to the prior versions of deployment-apps must be manually migrated.
Changes to add-ons
For a list of add-ons included with this release of the Enterprise Security app, see "Add-ons provided with Enterprise Security" in this manual.
Security Domains | Upgrade Splunk App for Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.3.3
Feedback submitted, thanks!