Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF


Splunk Enterprise Security version 4.6.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Planning an upgrade

This topic covers key considerations for planning an on-premises Splunk Enterprise Security upgrade. Splunk Cloud customers can work with Splunk Support to coordinate upgrades to Enterprise Security.

Order of operations for upgrading

  1. Review this topic and any linked items to view the changes in the latest release.
  2. Upgrade Splunk platform instances.
  3. Upgrade Splunk Enterprise Security.
  4. Review, upgrade, and deploy add-ons.

Splunk software requirements

See Splunk Enterprise system requirements.

To plan the upgrade of the Splunk software environment, see Upgrade your distributed Splunk Enterprise environment in the Splunk Enterprise Installation Manual.

Review the hardware requirements

To review the reference hardware requirements for Splunk platform software and Splunk Enterprise Security, see Splunk Enterprise system requirements in this manual.

Review the known issues

For the latest details about known issues in this release, see Known Issues for Splunk Enterprise Security in the Splunk Enterprise Security Release Notes.

Make a full backup of the search head

A full backup of the search head is recommended before applying the latest version of ES.

See Back up KV Store for instructions on how to back up the KV Store on the search head.

Search head pooling considerations

Search head pooling is not supported with Splunk Enterprise Security.

Search head clustering considerations

Upgrading Enterprise Security deployed on a search head cluster is a multi-step process. The recommended procedure is detailed in Upgrading ES on a search head cluster in this manual.

Using the Enterprise Security installer

Splunk Enterprise Security supports upgrading from Enterprise Security 4.0 or later. To upgrade from earlier versions, perform intermediary upgrades. Performing a full backup of the search head is recommended as the upgrade process will not backup the existing installation before upgrading.

  • The upgrade of Enterprise Security on a search head will not complete if apps or add-ons included in the ES package are managed by a deployment server. Before beginning an ES upgrade, remove the deploymentclient.conf containing references to the deployment server and restart Splunk services.
  • The upgrade process will overwrite all prior or current versions of apps and add-ons, and it will inherit any configuration changes and files saved in the app /local and /lookups paths. Local changes to the navigation in /local/data/ui/nav/default.xml are relocated during the upgrade to /local/data/ui/nav/default.xml.old so that local overrides do not hide newly delivered content in the navigation menu.
  • The upgrade process will not overwrite a newer version of an app or add-on.
  • An app or add-on that was disabled in the prior version will remain disabled after the upgrade.
  • A deprecated app or add-on will be disabled automatically. The deprecated app or add-on must be manually removed from the Enterprise Security installation. An alert will display in Messages and identify all deprecated items.
  • After the upgrade is complete, configuration changes inherited through the upgrade process may affect or override new settings. Use the ES Configuration Health dashboard to review configuration settings that might represent a conflict. See ES Configuration Health in the User Manual.
  • The upgrade process is logged in $SPLUNK_HOME/var/log/splunk/essinstaller2.log

Changes to add-ons

For a list of add-ons included with this release of Enterprise Security, see Add-ons provided with Enterprise Security in this manual.

Upgrading distributed add-ons

A copy of the latest add-ons are included with Splunk Enterprise Security. When upgrading ES, review all add-ons and deploy the updated add-ons to indexers and forwarders as required. The Enterprise Security installation process does not automatically upgrade or migrate any configurations deployed to the indexers or forwarders.

Important Any customizations made to the prior versions of an add-on must be manually migrated.

Last modified on 06 June, 2017
PREVIOUS
Configure data models for Splunk Enterprise Security
  NEXT
Upgrade Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters