Planning an upgrade of Splunk Enterprise Security
You must plan an on-premises Splunk Enterprise Security upgrade. If you are on the Splunk Cloud Platform, you must work with Splunk Support to coordinate upgrades to Splunk Enterprise Security.
When you upgrade to Splunk Enterprise Security version 8.0.0, you can no longer access any investigations created prior to the upgrade.
Upgrade Splunk Enterprise to the selected version and then upgrade Splunk Enterprise Security to the selected version. If you are upgrading Splunk Enterprise and Splunk Enterprise Security at the same time, you don't have to do stepped upgrades.
Stepped upgrades are only necessary if you stop at different core upgrades along the way.
Splunk Enterprise Security version 8.0.0 is not compatible with the Splunk app for PCI compliance. if your Splunk Enterprise Security installation relies on the PCI app, do not upgrade to Splunk Enterprise Security version 8.0.0.
Prerequisites
- Review the performance considerations. See Performance reference for Splunk Enterprise Security.
- Review the compatibility matrix to identify the version compatibility between Splunk Enterprise Security and Splunk Platform. See Splunk Products Compatibility matrix.
Unless there are compatibility restrictions, you can always upgrade to the latest version of Splunk Enterprise Security.
- Review the hardware requirements to make sure that your server hardware supports Splunk Enterprise Security. See Minimum specifications for a production deployment.
- Review known issues with the latest release of Splunk Enterprise Security. See Known Issues in the Splunk Enterprise Security Release Notes.
- Review deprecated features in the latest release of Splunk Enterprise Security. See Deprecated features in the Splunk Enterprise Security Release Notes.
- Back up the search head, including the KV Store. The upgrade process does not back up the existing installation before upgrading. See Back up KV Store for instructions on how to back up the KV Store on the search head.
- Approximately 3 GB of free space is required in the
/tmp/
directory for the upgrade to complete. When upgrading an app through either the CLI or Splunk Web UI, the/tmp/
directory is utilized during the process.
Recommendations for upgrading Splunk Enterprise Security
Upgrade both the Splunk platform and Splunk Enterprise Security in the same maintenance window. See the Deployment considerations for Splunk Enterprise Security to verify which versions of Splunk Enterprise Security and Splunk Enterprise are supported with each other.
- Upgrade Splunk Enterprise to a compatible version. See Upgrade your distributed Splunk Enterprise environment in the Splunk Enterprise Installation Manual.
- Upgrade Splunk platform instances.
- Upgrade Splunk Enterprise Security. You can download the app from Splunkbase.
- Review, upgrade, and deploy add-ons.
- See the post-installation Version-specific upgrade notes.
Upgrading Enterprise Security deployed on a search head cluster is a multi-step process. The recommended procedure is detailed in Upgrade Enterprise Security on a search head cluster.
Upgrade-specific notes
Consider the following potential issues that might occur when you upgrade Splunk Enterprise Security:
- The upgrade fails if a deployment server manages apps or add-ons included in the Splunk Enterprise Security package. Before starting the upgrade, remove the
deploymentclient.conf
file containing references to the deployment server and restart Splunk services. - The upgrade inherits any configuration changes and files saved in the app
/local
and/lookups
paths. - The upgrade maintains local changes to the menu navigation.
- After the upgrade, configuration changes inherited through the upgrade process might affect or override new settings. Use the Splunk Enterprise Security Configuration Health dashboard to review configuration settings that might conflict with new configurations. See ES Configuration Health in the User Manual.
- The upgrade process is logged in
$SPLUNK_HOME/var/log/splunk/essinstaller2.log
- Splunk Web might not start if you have AdvancedXML module folders from pre-4.0.x versions of Splunk Enterprise Security. Manually remove these files. For example, remove
$SPLUNK_HOME/etc/apps/SA-Utils/appserver/modules/SOLNLookupEditor
.
Consider the following potential issues that might occur when you upgrade add-ons included with Splunk Enterprise Security:
- The upgrade process overwrites all prior or existing versions of apps and add-ons.
- The upgrade does not overwrite a newer version of an app or add-on installed in your environment.
- An app or add-on that was disabled in the previous version remains disabled after the upgrade.
- The upgrade disables deprecated apps or add-ons. The deprecated app or add-on must be manually removed from the Splunk Enterprise Security installation. After the upgrade, an alert displays in messages to identify all deprecated items.
Changes to add-ons
For a list of add-ons included with this release of Splunk Enterprise Security, see Technology-specific add-ons provided with Splunk Enterprise Security.
Upgrading distributed add-ons
Splunk Enterprise Security includes the latest versions of the included add-ons that existed when this version was released.
A copy of the latest add-ons are included with Splunk Enterprise Security. When upgrading Splunk Enterprise Security, review all add-ons and deploy the updated add-ons to indexers and forwarders as required. The Splunk Enterprise Security installation process does not automatically upgrade or migrate any configurations deployed to the indexers or forwarders.
You must migrate any customizations made to the prior versions of an add-on manually.
See also
For more information on upgrading Splunk Enterprise Security, see the product documentation:
Configure data models for Splunk Enterprise Security | Upgrade Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!