Planning an upgrade
This topic covers key considerations for planning a Splunk Enterprise Security upgrade.
Order of operations for upgrading
- Review this topic and any linked items to view the changes in the latest release.
- Upgrade Splunk platform instances.
- Upgrade Splunk Enterprise Security.
- Review, upgrade, and deploy add-ons.
Splunk software requirements
Splunk Enterprise Security 4.0.x requires Splunk software version 6.3.x and a 64-bit OS install on all search heads and indexers.
To plan the upgrade of the Splunk software environment, see "Upgrade your distributed Splunk Enterprise environment" in the Splunk Enterprise Installation Manual.
Review the hardware requirements
To review the reference hardware requirements for Splunk platform software and Splunk Enterprise Security, see "Splunk Enterprise system requirements" in this manual.
Review the known issues
For the latest details about known issues in this release, see "Known Issues" in the Splunk Enterprise Security Release Notes Manual.
Make a backup
A full backup of the search head is recommended before applying the latest version of ES.
Search head pooling considerations
Search head pooling is not supported with Splunk Enterprise Security.
Search head clustering considerations
Upgrading Enterprise Security deployed on a search head cluster is a multi-step process. The recommended procedure is detailed in "Upgrading ES on a search head cluster" in this manual.
The Enterprise Security installer
Splunk Enterprise Security supports upgrading from Enterprise Security 3.0 or later. A full backup of the search head is recommended as the upgrade process will not backup the existing installation before upgrading.
- The upgrade of Enterprise Security on a search head will not complete if apps or add-ons included in the ES package are managed by a deployment server. Before beginning an ES upgrade, remove the
deploymentclient.confcontaining references to the deployment server and restart Splunk services.
- The upgrade process will overwrite all prior or current versions of apps and add-ons, and it will inherit any configuration changes and files saved in the app
- The upgrade process will not overwrite a newer version of an app or add-on.
- An app or add-on that was disabled in the prior version will remain disabled after the upgrade.
- A deprecated app or add-on will be disabled automatically. The deprecated app or add-on must be manually removed from the Enterprise Security installation. An alert will display in Messages and identify all deprecated items.
- After the upgrade is complete, configuration changes inherited through the upgrade process may affect or override new settings. Use the ES Configuration Health dashboard to review configuration settings that might represent a conflict. See "ES Configuration Health" in the User Manual.
- The upgrade process is logged in
Changes to add-ons
For a list of add-ons included with this release of Enterprise Security, see "Add-ons provided with Enterprise Security" in this manual.
Upgrading distributed add-ons
A copy of the latest add-ons are included with Splunk Enterprise Security. When upgrading ES, all add-ons should be reviewed and deployed to indexers and forwarders as required. The Enterprise Security installation process does not automatically upgrade or migrate any configurations deployed to the indexers or forwarders.
Important Any customizations made to the prior versions of an add-on must be manually migrated.
Configure data models
Upgrade Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 4.0.0, 4.0.1, 4.0.2