Planning an upgrade of Splunk Enterprise Security
Plan an on-premises Splunk Enterprise Security upgrade. Splunk Cloud customers must work with Splunk Support to coordinate upgrades to Enterprise Security.
This version of Splunk Enterprise Security supports upgrading from version 4.5.x or later. To upgrade from earlier versions, perform intermediary upgrades.
Splunk Enterprise Security 5.3.x is compatible with Splunk Enterprise 7.1.0 and 7.1.1 only by setting phased_execution_mode=singlethreaded in the [search] stanza of the $SPLUNK_HOME/etc/system/local/limits.conf file to avoid an issue that is fixed in Splunk Enterprise 7.1.2.
Before you upgrade Splunk Enterprise Security
- Review the compatible versions of the Splunk platform. See Splunk Enterprise system requirements.
- Review the hardware requirements to make sure that your server hardware supports Splunk Enterprise Security. See Hardware requirements.
- Review known issues with the latest release of Splunk Enterprise Security. See Known Issues in the Splunk Enterprise Security Release Notes.
- Review deprecated features in the latest release of Splunk Enterprise Security. See Deprecated features in the Splunk Enterprise Security Release Notes.
- Back up the search head, including the KV Store. The upgrade process does not back up the existing installation before upgrading. See Back up KV Store for instructions on how to back up the KV Store on the search head.
Recommendations for upgrading Splunk Enterprise Security
Upgrade both the Splunk platform and Splunk Enterprise Security in the same maintenance window. See the Splunk Enterprise system requirements to verify which versions of Splunk Enterprise Security and Splunk Enterprise are supported with each other.
- Upgrade Splunk Enterprise to a compatible version. See Upgrade your distributed Splunk Enterprise environment in the Splunk Enterprise Installation Manual.
- Upgrade Splunk platform instances.
- Upgrade Splunk Enterprise Security.
- Review, upgrade, and deploy add-ons.
- See the post-installation Version-specific upgrade notes.
Upgrading Enterprise Security deployed on a search head cluster is a multi-step process. The recommended procedure is detailed in Upgrade Enterprise Security on a search head cluster.
- The upgrade will fail if a deployment server manages apps or add-ons included in the Enterprise Security package. Before starting the upgrade, remove the
deploymentclient.conffile containing references to the deployment server and restart Splunk services.
- The upgrade inherits any configuration changes and files saved in the app
- The upgrade maintains local changes to the menu navigation.
- After the upgrade, configuration changes inherited through the upgrade process might affect or override new settings. Use the ES Configuration Health dashboard to review configuration settings that might conflict with new configurations. See ES Configuration Health in the User Manual.
- The upgrade process is logged in
- Splunk Web might not start if you have AdvancedXML module folders from pre-4.0.x versions of Enterprise Security. Manually remove these files. For example, remove
Upgrade notes for add-ons included with Splunk Enterprise Security:
- The upgrade process overwrites all prior or existing versions of apps and add-ons.
- The upgrade does not overwrite a newer version of an app or add-on installed in your environment.
- An app or add-on that was disabled in the previous version will remain disabled after the upgrade.
- The upgrade disables deprecated apps or add-ons. The deprecated app or add-on must be manually removed from the Enterprise Security installation. After the upgrade, an alert displays in Messages to identify all deprecated items.
Changes to add-ons
For a list of add-ons included with this release of Enterprise Security, see Technology-specific add-ons provided with Enterprise Security.
Upgrading distributed add-ons
Splunk Enterprise Security includes the latest versions of the included add-ons that existed when this version was released.
A copy of the latest add-ons are included with Splunk Enterprise Security. When upgrading Enterprise Security, review all add-ons and deploy the updated add-ons to indexers and forwarders as required. The Enterprise Security installation process does not automatically upgrade or migrate any configurations deployed to the indexers or forwarders. See Deploy add-ons included with Splunk Enterprise Security.
You must migrate any customizations made to the prior versions of an add-on manually.
Configure data models for Splunk Enterprise Security
Upgrade Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1