Planning an upgrade

This topic covers key considerations for planning a Splunk Enterprise Security upgrade.

Order of operations for upgrading

1. Review this topic and any linked items to view the changes in the latest release.
2. Upgrade Splunk platform instances.
3. Upgrade Splunk Enterprise Security.
4. Review, upgrade, and deploy add-ons.

Splunk software requirements

Splunk Enterprise Security 4.0.x requires Splunk software version 6.3.x and a 64-bit OS install on all search heads and indexers.

To plan the upgrade of the Splunk software environment, see "Upgrade your distributed Splunk Enterprise environment" in the Splunk Enterprise Installation Manual.

Review the hardware requirements

To review the reference hardware requirements for Splunk platform software and Splunk Enterprise Security, see "Splunk Enterprise system requirements" in this manual.

Review the known issues

For the latest details about known issues in this release, see "Known Issues" in the Splunk Enterprise Security Release Notes Manual.

Make a backup

A full backup of the search head is recommended before applying the latest version of ES.

Search head pooling considerations

Search head pooling is not supported with Splunk Enterprise Security.

Search head clustering considerations

Upgrading Enterprise Security deployed on a search head cluster is a multi-step process. The recommended procedure is detailed in "Upgrading ES on a search head cluster" in this manual.

The Enterprise Security installer

Splunk Enterprise Security supports upgrading from Enterprise Security 3.0 or later. A full backup of the search head is recommended as the upgrade process will not backup the existing installation before upgrading.

• The upgrade of Enterprise Security on a search head will not complete if apps or add-ons included in the ES package are managed by a deployment server. Before beginning an ES upgrade, remove the deploymentclient.conf containing references to the deployment server and restart Splunk services.

• The upgrade process will overwrite all prior or current versions of apps and add-ons, and it will inherit any configuration changes and files saved in the app /local and /lookups paths.

• The upgrade process will not overwrite a newer version of an app or add-on.

• An app or add-on that was disabled in the prior version will remain disabled after the upgrade.

• A deprecated app or add-on will be disabled automatically. The deprecated app or add-on must be manually removed from the Enterprise Security installation. An alert will display in Messages and identify all deprecated items.

• After the upgrade is complete, configuration changes inherited through the upgrade process may affect or override new settings. Use the ES Configuration Health dashboard to review configuration settings that might represent a conflict. See "ES Configuration Health" in the User Manual.

• The upgrade process is logged in $SPLUNK_HOME/var/log/splunk/essinstaller2.log

Changes to add-ons

For a list of add-ons included with this release of Enterprise Security, see "Add-ons provided with Enterprise Security" in this manual.

Upgrading distributed add-ons

A copy of the latest add-ons are included with Splunk Enterprise Security. When upgrading ES, all add-ons should be reviewed and deployed to indexers and forwarders as required. The Enterprise Security installation process does not automatically upgrade or migrate any configurations deployed to the indexers or forwarders.

Important Any customizations made to the prior versions of an add-on must be manually migrated.