Splunk® Enterprise Security

Installation and Upgrade Manual

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Planning an upgrade of Splunk Enterprise Security

Plan an on-premises Splunk Enterprise Security upgrade. Splunk Cloud customers must work with Splunk Support to coordinate upgrades to Enterprise Security.

This version of Splunk Enterprise Security supports upgrading from version 4.0 or later. To upgrade from earlier versions, perform intermediary upgrades.

To upgrade Splunk Enterprise to version 6.6.x at the same time as you upgrade to this version of Enterprise Security, use a supported upgrade path.

Starting with Splunk platform version 6.5.x and Enterprise Security 4.x:

  1. Upgrade Splunk Enterprise Security to version 4.7.x.
  2. Upgrade the Splunk platform to version 6.6.x.

Starting with Splunk platform version 6.4.x and Enterprise Security 4.x:

  1. Upgrade the Splunk platform to version 6.5.x.
  2. Upgrade Splunk Enterprise Security to version 4.7.x.
  3. Upgrade the Splunk platform to version 6.6.x.

To upgrade Splunk Enterprise Security to version 4.7.4 and Splunk Enterprise to version 7.0.x, follow the same steps.

Before you upgrade Splunk Enterprise Security

  1. Review the compatible versions of the Splunk platform. See Splunk Enterprise system requirements.
  2. Review the hardware requirements to make sure that your server hardware supports Splunk Enterprise Security. See Hardware requirements.
  3. Review known issues with the latest release of Splunk Enterprise Security. See Known Issues in the Splunk Enterprise Security Release Notes.
  4. Review deprecated features in the latest release of Splunk Enterprise Security. See Deprecated features in the Splunk Enterprise Security Release Notes.
  5. Back up the search head, including the KV Store. The upgrade process does not back up the existing installation before upgrading. See Back up KV Store for instructions on how to back up the KV Store on the search head.

Recommendations for upgrading Splunk Enterprise Security

If you want to upgrade the Splunk platform to a version that your current version of Splunk Enterprise Security is not compatible with, upgrade both the Splunk platform and Splunk Enterprise Security in the same maintenance window.

If you cannot upgrade the Splunk platform and Splunk Enterprise Security at the same time, review the compatible versions of Splunk Enterprise and Splunk Enterprise Security to determine an upgrade path.

  1. (Optional) If needed, upgrade Splunk Enterprise to a compatible version. See Upgrade your distributed Splunk Enterprise environment in the Splunk Enterprise Installation Manual.
  2. Upgrade Splunk platform instances.
  3. Upgrade Splunk Enterprise Security.
  4. Review, upgrade, and deploy add-ons.

Upgrading Enterprise Security deployed on a search head cluster is a multi-step process. The recommended procedure is detailed in Upgrade Enterprise Security on a search head cluster.

Upgrade-specific notes

  • The upgrade will fail if a deployment server manages apps or add-ons included in the Enterprise Security package. Before starting the upgrade, remove the deploymentclient.conf file containing references to the deployment server and restart Splunk services.
  • The upgrade inherits any configuration changes and files saved in the app /local and /lookups paths.
  • The upgrade maintains local changes to the menu navigation.
  • After the upgrade, configuration changes inherited through the upgrade process might affect or override new settings. Use the ES Configuration Health dashboard to review configuration settings that might conflict with new configurations. See ES Configuration Health in the User Manual.
  • The upgrade process is logged in $SPLUNK_HOME/var/log/splunk/essinstaller2.log


Upgrade notes for add-ons included with Splunk Enterprise Security:

  • The upgrade process overwrites all prior or existing versions of apps and add-ons.
  • The upgrade does not overwrite a newer version of an app or add-on installed in your environment.
  • An app or add-on that was disabled in the previous version will remain disabled after the upgrade.
  • The upgrade disables deprecated apps or add-ons. The deprecated app or add-on must be manually removed from the Enterprise Security installation. After the upgrade, an alert displays in Messages to identify all deprecated items.

Changes to add-ons

For a list of add-ons included with this release of Enterprise Security, see Technology-specific add-ons provided with Enterprise Security.

Upgrading distributed add-ons

Splunk Enterprise Security includes the latest versions of the included add-ons that existed when this version was released.

A copy of the latest add-ons are included with Splunk Enterprise Security. When upgrading Enterprise Security, review all add-ons and deploy the updated add-ons to indexers and forwarders as required. The Enterprise Security installation process does not automatically upgrade or migrate any configurations deployed to the indexers or forwarders. See Deploy add-ons included with Splunk Enterprise Security.

You must migrate any customizations made to the prior versions of an add-on manually.

PREVIOUS
Configure data models for Splunk Enterprise Security
  NEXT
Upgrade Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters