Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Planning an upgrade of Splunk Enterprise Security

Plan an on-premises Splunk Enterprise Security upgrade. Splunk Cloud Platform customers must work with Splunk Support to coordinate upgrades to Enterprise Security.

Upgrade Splunk Enterprise to the selected version and then upgrade Enterprise Security to the selected version. If you are upgrading Splunk Enterprise and Enterprise Security at the same time, you don't have to do stepped upgrades.

Stepped upgrades are only necessary if you stop at different core upgrades along the way.

Before you upgrade Splunk Enterprise Security

  1. Review the performance considerations. See Splunk Enterprise system requirements.
  2. Review the compatibility matrix to identify the version compatibility between Splunk Enterprise Security and Splunk Platform. See Splunk Products Compatibility matrix.

Unless there are compatibility restrictions, you can always upgrade to the latest version of Splunk Enterprise Security.

  1. Review the hardware requirements to make sure that your server hardware supports Splunk Enterprise Security. See Hardware requirements.
  2. Review known issues with the latest release of Splunk Enterprise Security. See Known Issues in the Splunk Enterprise Security Release Notes.
  3. Review deprecated features in the latest release of Splunk Enterprise Security. See Deprecated features in the Splunk Enterprise Security Release Notes.
  4. Back up the search head, including the KV Store. The upgrade process does not back up the existing installation before upgrading. See Back up KV Store for instructions on how to back up the KV Store on the search head.
  5. Approximately 3 GB of free space is required in the /tmp/ directory for the upgrade to complete. When upgrading an app through either the CLI or Splunk Web UI, the /tmp/ directory is utilized during the process.

Recommendations for upgrading Splunk Enterprise Security

Upgrade both the Splunk platform and Splunk Enterprise Security in the same maintenance window. See the Splunk Enterprise system requirements to verify which versions of Splunk Enterprise Security and Splunk Enterprise are supported with each other.

  1. Upgrade Splunk Enterprise to a compatible version. See Upgrade your distributed Splunk Enterprise environment in the Splunk Enterprise Installation Manual.
  2. Upgrade Splunk platform instances.
  3. Upgrade Splunk Enterprise Security. You can download the app from Splunkbase.
  4. Review, upgrade, and deploy add-ons.
  5. See the post-installation Version-specific upgrade notes.

Upgrading Enterprise Security deployed on a search head cluster is a multi-step process. The recommended procedure is detailed in Upgrade Enterprise Security on a search head cluster.

Upgrade-specific notes

  • The upgrade will fail if a deployment server manages apps or add-ons included in the Enterprise Security package. Before starting the upgrade, remove the deploymentclient.conf file containing references to the deployment server and restart Splunk services.
  • The upgrade inherits any configuration changes and files saved in the app /local and /lookups paths.
  • The upgrade maintains local changes to the menu navigation.
  • After the upgrade, configuration changes inherited through the upgrade process might affect or override new settings. Use the ES Configuration Health dashboard to review configuration settings that might conflict with new configurations. See ES Configuration Health in the User Manual.
  • The upgrade process is logged in $SPLUNK_HOME/var/log/splunk/essinstaller2.log
  • Splunk Web might not start if you have AdvancedXML module folders from pre-4.0.x versions of Enterprise Security. Manually remove these files. For example, remove $SPLUNK_HOME/etc/apps/SA-Utils/appserver/modules/SOLNLookupEditor.

Upgrade notes for add-ons included with Splunk Enterprise Security:

  • The upgrade process overwrites all prior or existing versions of apps and add-ons.
  • The upgrade does not overwrite a newer version of an app or add-on installed in your environment.
  • An app or add-on that was disabled in the previous version will remain disabled after the upgrade.
  • The upgrade disables deprecated apps or add-ons. The deprecated app or add-on must be manually removed from the Enterprise Security installation. After the upgrade, an alert displays in Messages to identify all deprecated items.

Changes to add-ons

For a list of add-ons included with this release of Enterprise Security, see Technology-specific add-ons provided with Enterprise Security.

Upgrading distributed add-ons

Splunk Enterprise Security includes the latest versions of the included add-ons that existed when this version was released.

A copy of the latest add-ons are included with Splunk Enterprise Security. When upgrading Enterprise Security, review all add-ons and deploy the updated add-ons to indexers and forwarders as required. The Enterprise Security installation process does not automatically upgrade or migrate any configurations deployed to the indexers or forwarders. See Deploy add-ons included with Splunk Enterprise Security.

You must migrate any customizations made to the prior versions of an add-on manually.

Last modified on 19 September, 2023
Configure data models for Splunk Enterprise Security   Upgrade Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters