Planning an upgrade
This topic covers key considerations for planning an on-premises Splunk Enterprise Security upgrade.
Order of operations for upgrading
- Review this topic and any linked items to view the changes in the latest release.
- Upgrade Splunk platform instances.
- Upgrade Splunk Enterprise Security.
- Review, upgrade, and deploy add-ons.
Splunk software requirements
Splunk Enterprise Security 4.1.x requires Splunk software version 6.3.3 or later, and a 64-bit OS install on all search heads and indexers. See Splunk Enterprise system requirements for specific version details.
To plan the upgrade of the Splunk software environment, see Upgrade your distributed Splunk Enterprise environment in the Splunk Enterprise Installation Manual.
Review the hardware requirements
To review the reference hardware requirements for Splunk platform software and Splunk Enterprise Security, see Splunk Enterprise system requirements in this manual.
Review the known issues
For the latest details about known issues in this release, see Known Issues in the Splunk Enterprise Security Release Notes Manual.
Make a full backup of the search head
A full backup of the search head is recommended before applying the latest version of ES.
Search head pooling considerations
Search head pooling is not supported with Splunk Enterprise Security.
Search head clustering considerations
Upgrading Enterprise Security deployed on a search head cluster is a multi-step process. The recommended procedure is detailed in Upgrading ES on a search head cluster in this manual.
Using the Enterprise Security installer
Splunk Enterprise Security supports upgrading from Enterprise Security 3.0 or later. Performing a full backup of the search head is recommended as the upgrade process will not backup the existing installation before upgrading.
- The upgrade of Enterprise Security on a search head will not complete if apps or add-ons included in the ES package are managed by a deployment server. Before beginning an ES upgrade, remove the
deploymentclient.confcontaining references to the deployment server and restart Splunk services.
- The upgrade process will overwrite all prior or current versions of apps and add-ons, and it will inherit any configuration changes and files saved in the app
/lookupspaths. Local changes to the navigation in
/local/data/ui/nav/default.xmlare relocated during the upgrade to
/local/data/ui/nav/default.xml.oldso that local overrides do not hide newly delivered content in the navigation menu.
- The upgrade process does not overwrite a newer version of an app or add-on.
- An app or add-on that was disabled in the prior version remains disabled after the upgrade.
- A deprecated app or add-on is disabled automatically by the installer. The deprecated app or add-on must be manually removed from the Enterprise Security installation. An alert displays in Messages and identifies all deprecated items.
- After the upgrade is complete, configuration changes inherited through the upgrade process can affect or override new settings. Use the ES Configuration Health dashboard to review configuration settings that might represent a conflict. See ES Configuration Health in the User Manual.
- The upgrade process is logged in
Changes to add-ons
For a list of add-ons included with this release of Enterprise Security, see Add-ons provided with Enterprise Security in this manual.
Upgrading distributed add-ons
A copy of the latest add-ons are included with Splunk Enterprise Security. When upgrading ES, all add-ons should be reviewed and deployed to indexers and forwarders as required. The Enterprise Security installation process does not automatically upgrade or migrate any configurations deployed to the indexers or forwarders.
Important Any customizations made to the prior versions of an add-on must be manually migrated.
Configure data models
Upgrade Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4