Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Upgrade Splunk Enterprise Security

This topic describes how to upgrade Splunk Enterprise Security on an on-premises search head from version 5.2.2 or later to the latest release. Splunk Cloud customers work with Splunk Support to coordinate upgrades to Enterprise Security.

Step 1. Review the planning topic

  1. For an overview of the upgrade process and prerequisites, see Planning an upgrade in this manual.
  2. Perform a full backup of the search head, including the KV Store, before upgrading. The upgrade process does not back up the existing installation before upgrading. See Back up KV Store for instructions on how to back up the KV Store on the search head.

To back out of the upgrade, you must restore the prior version of Splunk Enterprise Security from backup.

Step 2. Download Splunk Enterprise Security

  1. Open splunk.com and log in with your Splunk.com ID. You must be a licensed Enterprise Security customer to download the product.
  2. Download the latest Splunk Enterprise Security product.
  3. Choose Download and save the Splunk Enterprise Security product file to your desktop.
  4. Log in to the Enterprise Security search head as an administrator.

Step 3. Install the latest Splunk Enterprise Security

The installer dynamically detects if you're installing in a single search head environment or search head cluster environment. The installer is also bigger than the default upload limit for Splunk Web.

  1. Increase the Splunk Web upload limit to 1 GB by creating a file called $SPLUNK_HOME/etc/system/local/web.conf with the following stanza.
    [settings]
    max_upload_size = 1024
  2. To restart Splunk from the Splunk toolbar, select Settings > Server controls and click Restart Splunk.
  3. On the Splunk Enterprise search page, select Apps > Manage Apps and choose Install App from File.
  4. Select the Splunk Enterprise Security product file.
  5. Click Choose File and select the Splunk Enterprise Security product file.
  6. Click Upgrade app to overwrite the existing Splunk Enterprise Security installation.
  7. Click Upload to begin the installation.
  8. When prompted, configure Splunk Enterprise Security.
  9. Click Restart Splunk.

If you do not run the setup procedure promptly after the file upload completes, Enterprise Security displays errors.

Step 4. Set up Splunk Enterprise Security

After Splunk Web returns after the restart, set up Splunk Enterprise Security.

  1. Click Continue to app setup page to start the ES setup.
  2. Click Start.
  3. The Splunk Enterprise Security Post-Install Configuration page indicates the upgrade status as it moves through the stages of installation.
  4. Choose to exclude selected add-ons from being installed, or install and disable them.
    When the setup is done, the page prompts you to restart Splunk platform services.
  5. Click Restart Splunk to finish the installation.

Step 5. Validate the upgrade

The Splunk Enterprise Security upgrade process is now complete. Objects disabled during the upgrade process will automatically be enabled.

  1. On the Enterprise Security menu bar, select Audit > ES Configuration Health.
  2. Review potential conflicts and changes to the default settings. See ES Configuration Health in the User Manual.
  3. Clear the browser cache of the browser you use to access Splunk Web to make sure that you access a fresh version of Splunk Web after upgrading. If you do not clear the browser cache, some pages might fail to load.

Splunk logs the upgrade in $SPLUNKHOME$/var/log/splunk/essinstaller2.log

Version-specific upgrade notes

After upgrading to version 6.0

If you do a new installation of Enterprise Security on a search head cluster using the default option as the deployer push mode and have automatic lookups set in the props.conf configuration file, you may see errors in your asset identity framework. For more information, see SOLNESS-17956.

When you upgrade the Splunk Enterprise Security app to versions 6.0 or higher, you might see the following issues in Assets and Identities:

For complete details, see Manage asset and identity upon upgrade.

After upgrading to version 5.3.x

If you followed the default behavior and installed the technology add-ons that shipped with Enterprise Security in previous versions, after upgrading to version 5.3.x you will notice messages that state, "TA-<name> version <number> is lower than required." This is expected behavior with the recent installer enhancements. After upgrading, do one of the following:

After upgrading to version 5.1.x

Manually delete the file $SPLUNK_HOME/etc/apps/splunk_instrumentation/default/data/ui/views/search.xml. After deleting the file, do one of the following:

  • Refresh Splunk Web: http(s)://yoursplunkurl.com:8000/en-US/debug/refresh?entity=data/ui/views
  • Refresh splunkd: http(s)://yoursplunkurl.com:8089/services/data/ui/views/_reload

After upgrading to version 5.0.x

  • Select the Edit Lookups permission checkbox again. Because the Edit Lookups permission now includes an additional capability, the permission is not checked by default. Roles still have the edit_lookups capability. See Configure users and roles in the Installation and Upgrade Manual
  • Enable the Access - Geographically Improbable Access - Summary Gen search to see data on the Geographically Improbable Access panel of the Access Anomalies dashboard or notable events produced by the Geographically Improbable Access Detected correlation search.

After upgrading from a version prior to 4.1.x

  • Correlation search editor configurations might be inconsistent with pre-upgrade settings if the search migration process is still running. Search the internal index to look for successfully migrated searches and review the status of the migration operation.

    index=_internal sourcetype=configuration_check file="confcheck_es_modactions*" migrated

  • Enabled correlation searches that are not configured to create notable events revert to creating notable events.
    For example, a correlation search that by default created a notable event and a risk modifier that you configured to create only a risk modifier will, after upgrade, create both a risk modifier and a notable event.
  1. Before upgrading, note enabled correlation searches that do not create notable events using the following search.

    | rest splunk_server=local count=0 /services/saved/searches search="name=\"*-Rule\"" | where disabled=0 AND 'action.summary_index'=0 | table 'eai:acl.app',title

  2. After the upgrade is complete, update the affected correlation searches so that the searches no longer create notable events.

Test upgrade and setup of Splunk Enterprise Security

You can test the upgrade and setup of Splunk Enterprise Security before you perform the full upgrade. You must complete Step 1. Review the planning topic, Step 2. Download Splunk Enterprise Security, and the first two sub-steps of Step 3. Install the latest Splunk Enterprise Security before you can follow these steps.

  1. From Splunk Web, open the Search and Reporting app.
  2. Type the following search to perform a dry run of the upgrade and setup.

    |essinstall --dry-run

  3. You can use additional options to specify add-ons to install, to skip installing, or to disable after installing.

    |essinstall --install-ta <ta-name>+ --skip-ta <ta-name>+ --disable-ta <ta-name>+


    Specify the name of the add-on to install, skip, or disable, or use * as a wildcard. Use + to specify multiple add-ons to install.
Last modified on 08 June, 2021
Planning an upgrade of Splunk Enterprise Security   Upgrade Splunk Enterprise Security in a search head cluster environment

This documentation applies to the following versions of Splunk® Enterprise Security: 6.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters