Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Planning an upgrade

This topic covers key considerations for planning an on-premises Splunk Enterprise Security upgrade.

Order of operations for upgrading

  1. Review this topic and any linked items to view the changes in the latest release.
  2. Upgrade Splunk platform instances.
  3. Upgrade Splunk Enterprise Security.
  4. Review, upgrade, and deploy add-ons.

Splunk software requirements

Splunk Enterprise Security 4.1.x requires Splunk software version 6.3.3 or later, and a 64-bit OS install on all search heads and indexers. See Splunk Enterprise system requirements for specific version details.

To plan the upgrade of the Splunk software environment, see Upgrade your distributed Splunk Enterprise environment in the Splunk Enterprise Installation Manual.

Review the hardware requirements

To review the reference hardware requirements for Splunk platform software and Splunk Enterprise Security, see Splunk Enterprise system requirements in this manual.

Review the known issues

For the latest details about known issues in this release, see Known Issues in the Splunk Enterprise Security Release Notes Manual.

Make a full backup of the search head

A full backup of the search head is recommended before applying the latest version of ES.

Search head pooling considerations

Search head pooling is not supported with Splunk Enterprise Security.

Search head clustering considerations

Upgrading Enterprise Security deployed on a search head cluster is a multi-step process. The recommended procedure is detailed in Upgrading ES on a search head cluster in this manual.

Using the Enterprise Security installer

Splunk Enterprise Security supports upgrading from Enterprise Security 3.0 or later. Performing a full backup of the search head is recommended as the upgrade process will not backup the existing installation before upgrading.

  • The upgrade of Enterprise Security on a search head will not complete if apps or add-ons included in the ES package are managed by a deployment server. Before beginning an ES upgrade, remove the deploymentclient.conf containing references to the deployment server and restart Splunk services.
  • The upgrade process will overwrite all prior or current versions of apps and add-ons, and it will inherit any configuration changes and files saved in the app /local and /lookups paths. Local changes to the navigation in /local/data/ui/nav/default.xml are relocated during the upgrade to /local/data/ui/nav/default.xml.old so that local overrides do not hide newly delivered content in the navigation menu.
  • The upgrade process does not overwrite a newer version of an app or add-on.
  • An app or add-on that was disabled in the prior version remains disabled after the upgrade.
  • A deprecated app or add-on is disabled automatically by the installer. The deprecated app or add-on must be manually removed from the Enterprise Security installation. An alert displays in Messages and identifies all deprecated items.
  • After the upgrade is complete, configuration changes inherited through the upgrade process can affect or override new settings. Use the ES Configuration Health dashboard to review configuration settings that might represent a conflict. See ES Configuration Health in the User Manual.
  • The upgrade process is logged in $SPLUNK_HOME/var/log/splunk/essinstaller2.log

Changes to add-ons

For a list of add-ons included with this release of Enterprise Security, see Add-ons provided with Enterprise Security in this manual.

Upgrading distributed add-ons

A copy of the latest add-ons are included with Splunk Enterprise Security. When upgrading ES, all add-ons should be reviewed and deployed to indexers and forwarders as required. The Enterprise Security installation process does not automatically upgrade or migrate any configurations deployed to the indexers or forwarders.

Important Any customizations made to the prior versions of an add-on must be manually migrated.

Last modified on 06 February, 2017
Configure data models
Upgrade Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters