Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

Planning an upgrade of Splunk Enterprise Security

You must plan an on-premises Splunk Enterprise Security upgrade. If you are on the Splunk Cloud Platform, you must work with Splunk Support to coordinate upgrades to Splunk Enterprise Security.

When you upgrade to Splunk Enterprise Security version 8.0.0, you can no longer access any investigations that were created prior to the upgrade.

Upgrade Splunk Enterprise to the selected version and then upgrade Splunk Enterprise Security to the selected version. If you are upgrading Splunk Enterprise and Splunk Enterprise Security at the same time, you don't have to do stepped upgrades.

Stepped upgrades are only necessary if you stop at different core upgrades along the way.

Splunk Enterprise Security version 8.0.0 is not compatible with the Splunk app for PCI compliance. if your Splunk Enterprise Security installation relies on the PCI app, do not upgrade to Splunk Enterprise Security version 8.0.0.

Prerequisites

  1. Review the performance considerations. See Performance reference for Splunk Enterprise Security.
  2. Review the compatibility matrix to identify the version compatibility between Splunk Enterprise Security and Splunk Platform. See Splunk Products Compatibility matrix.

    Unless there are compatibility restrictions, you can always upgrade to the latest version of Splunk Enterprise Security.

  3. Review the hardware requirements to make sure that your server hardware supports Splunk Enterprise Security. See Minimum specifications for a production deployment.
  4. Review known issues with the latest release of Splunk Enterprise Security. See Known Issues in the Splunk Enterprise Security Release Notes.
  5. Review deprecated features in the latest release of Splunk Enterprise Security. See Deprecated features in the Splunk Enterprise Security Release Notes.
  6. Back up the search head, including the KV Store. The upgrade process does not back up the existing installation before upgrading. See Back up KV Store for instructions on how to back up the KV Store on the search head.
  7. Approximately 3 GB of free space is required in the /tmp/ directory for the upgrade to complete. When upgrading an app through either the CLI or Splunk Web UI, the /tmp/ directory is utilized during the process.

Recommendations for upgrading Splunk Enterprise Security

Upgrade both the Splunk platform and Splunk Enterprise Security in the same maintenance window. See the Deployment considerations for Splunk Enterprise Security to verify which versions of Splunk Enterprise Security and Splunk Enterprise are supported with each other.

  1. Upgrade Splunk Enterprise to a compatible version. See Upgrade your distributed Splunk Enterprise environment in the Splunk Enterprise Installation Manual.
  2. Upgrade Splunk platform instances.
  3. Upgrade Splunk Enterprise Security. You can download the app from Splunkbase.
  4. Review, upgrade, and deploy add-ons.
  5. See the post-installation Version-specific upgrade notes.

Upgrading Enterprise Security deployed on a search head cluster is a multi-step process. The recommended procedure is detailed in Upgrade Enterprise Security on a search head cluster.

Upgrade-specific notes

Consider the following potential issues that might occur when you upgrade Splunk Enterprise Security:

  • The upgrade fails if a deployment server manages apps or add-ons included in the Splunk Enterprise Security package. Before starting the upgrade, remove the deploymentclient.conf file containing references to the deployment server and restart Splunk services.
  • The upgrade inherits any configuration changes and files saved in the app /local and /lookups paths.
  • The upgrade maintains local changes to the menu navigation.
  • After the upgrade, configuration changes inherited through the upgrade process might affect or override new settings. Use the Splunk Enterprise Security Configuration Health dashboard to review configuration settings that might conflict with new configurations. See ES Configuration Health in the User Manual.
  • The upgrade process is logged in $SPLUNK_HOME/var/log/splunk/essinstaller2.log
  • Splunk Web might not start if you have AdvancedXML module folders from pre-4.0.x versions of Splunk Enterprise Security. Manually remove these files. For example, remove $SPLUNK_HOME/etc/apps/SA-Utils/appserver/modules/SOLNLookupEditor.

Consider the following potential issues that might occur when you upgrade add-ons included with Splunk Enterprise Security:

  • The upgrade process overwrites all prior or existing versions of apps and add-ons.
  • The upgrade does not overwrite a newer version of an app or add-on installed in your environment.
  • An app or add-on that was disabled in the previous version remains disabled after the upgrade.
  • The upgrade disables deprecated apps or add-ons. The deprecated app or add-on must be manually removed from the Splunk Enterprise Security installation. After the upgrade, an alert displays in messages to identify all deprecated items.

Changes to add-ons

For a list of add-ons included with this release of Splunk Enterprise Security, see Technology-specific add-ons provided with Splunk Enterprise Security.

Upgrading distributed add-ons

Splunk Enterprise Security includes the latest versions of the included add-ons that existed when this version was released.

A copy of the latest add-ons are included with Splunk Enterprise Security. When upgrading Splunk Enterprise Security, review all add-ons and deploy the updated add-ons to indexers and forwarders as required. The Splunk Enterprise Security installation process does not automatically upgrade or migrate any configurations deployed to the indexers or forwarders.

You must migrate any customizations made to the prior versions of an add-on manually.

See also

For more information on upgrading Splunk Enterprise Security, see the product documentation:

Last modified on 11 October, 2024
Configure data models for Splunk Enterprise Security   Upgrade Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters