Upgrade Splunk Enterprise Security in a search head cluster environment
Upgrade Splunk Enterprise Security on a search head cluster
Before you upgrade a Splunk Enterprise Security search head cluster, review these instructions and the order of operations.
- Prepare a staging instance.
- Upgrade the staging instance to the latest version.
- Migrate the upgraded installation to the production deployer.
- Deploy the changes to the cluster members.
- Validate the configuration on the search head cluster.
Previous versions of these instructions, if followed precisely, might have caused you to deploy default apps included with Splunk Enterprise to your search peers using the deployer. Deploying default apps in this way is not recommended.
If you experience problems with your deployment as a result of this misconfiguration, migrate the settings of your installation to a new deployer and search head cluster, similar to the steps for migrating a standalone search head to a search head cluster. See Migrate an existing search head to a search head cluster on this page.
- Review the add-ons included in the Splunk Enterprise Security package.
- If needed, upgrade Splunk Enterprise to the latest version compatible with this version of Splunk Enterprise Security.
Prepare a staging instance
Before upgrading, you need to compare the copy of Splunk Enterprise Security on the deployer with the latest release. You can do this by performing the upgrade on a staging instance. If you have a testing or QA instance in your Splunk environment with only Splunk Enterprise installed, you can use that instance for staging.
- Prepare a single instance of Splunk Enterprise to use for staging an upgrade. Do not connect the instance to indexers or search peers.
- Copy the apps in the deployer instance path
etc/shcluster/appsto the staging instance path
For example, on the deployer type:
scp -r ~/etc/shcluster/apps <staging_machine>:~/etc/
If the deployer includes default apps, such as the search app, remove them from the deployer before copying the folder to the staging instance.
The copy of Splunk Enterprise Security on the deployer includes configuration settings that are deployed to the search head cluster. The copy does not include the runtime knowledge object changes replicated between the search head cluster nodes.
Upgrade the staging instance to the latest version
- Follow steps one through four in the Upgrade Splunk Enterprise Security process.
- Review the ES Configuration Health dashboard to identify changes in configurations and settings between the deployed version and the latest release of Splunk Enterprise Security.
The installer automatically disables deprecated apps or add-ons. An alert displays in Messages on the staging instance and identifies all deprecated items. You must manually remove a deprecated app or add-on from the Enterprise Security installation.
Migrate the upgraded ES install to the deployer
Move the apps that comprise Splunk Enterprise Security from the staging instance to the deployer.
- On the staging instance, copy the apps, SAs, DAs, and TAs associated with the Splunk Enterprise Security Suite from the
$SPLUNK_HOME/etc/appsdirectory to the
$SPLUNK_HOME/etc/shcluster/appsdirectory on the deployer.
- Do not copy any of the deprecated apps or add-ons that you noted during the upgrade on staging.
- Do not copy any of the default apps, such as the search, launcher, or gettingstarted apps.
Do not copy all of the apps in the
$SPLUNK_HOME/etc/apps directory, because you do not want to upgrade and deploy apps included with Splunk Enterprise.
Deploy the changes to the cluster members
- On the deployer, deploy Enterprise Security with
-preserve-lookups trueto retain lookup file content generated on the search head cluster members. See Deploy a configuration bundle in Distributed Search.
See Maintain lookup files across app upgrades in the Splunk Enterprise Distributed Search Manual for more about using this setting.
Validate the configuration on the search cluster
After you distribute the copy of Enterprise Security on the deployer to the search head cluster members, use the ES Configuration Health dashboard to compare the cluster-replicated knowledge objects to the latest installation of Enterprise Security.
- Log in to Splunk Web on a search head cluster member.
- Open Enterprise Security.
- From the Enterprise Security menu bar, select Audit > ES Configuration Health.
- Review potential conflicts and changes to the default settings.
See ES Configuration Health in Use Splunk Enterprise Security.
Upgrade Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2