Upgrade Splunk App for PCI Compliance
This topic describes how to use the PCI Compliance Install App to upgrade an installed version of the Splunk App for PCI Compliance to the latest version.
Step 1. Get the Splunk App for PCI Compliance
1. Download the PCI Compliance Install App.
2. Click Download App and save the PCI Compliance Install App to your desktop.
3. From Splunk Home, go to App > Manage Apps… > Install App from File to add the Install App to your Splunk instance.
If you have the PCI Compliance Install App on your system, make sure you click Upgrade app, and overwrite the existing app with the newer version when you upload the file.
4. Restart Splunk Enterprise.
Step 2. Launch the upgrade installer
1. After Splunk Enterprise restarts, log back into Splunk Enterprise.
2. Go to Splunk Home and click PCI Compliance Install App.
3. To perform the upgrade, the installer first needs to disable the current instance of the Splunk App for PCI Compliance. Click Disable.
4. Restart Splunk Enterprise.
Note: The Splunk App for PCI Compliance includes a setting that forces Splunk Web to run over HTTPS. While disabled you might need to connect to Splunk Web using HTTP instead (
5. Click the click here to continue link when the Splunk Enterprise restart is complete.
Step 3. Evaluate your environment prior to upgrade
1. Log back into Splunk Enterprise. In the PCI Compliance Install App, click Continue to begin the upgrade.
2. The Upgrade and Compare screen contains tabs with upgrade warnings, customizations, deprecated apps, or changes to the default configuration files associated with the upgrade. Review each of these tabs before continuing with the upgrade.
3. Use the information in these panels to evaluate your existing configuration and resolve potential conflicts and customizations that could pose a problem during the upgrade. See "Resolve warnings and conflicts" below for details.
4. As you make changes to resolve issues, click Recheck to verify that the issue is fixed. Repeat this process as many times as necessary.
5. Click Print Report for a list of the warnings, customizations, deprecated apps, and changes to configuration files associated with the upgrade.
Step 4. Upgrade PCI Compliance
When you have reviewed each of the tabs and made changes, continue with the upgrade.
1. Click Upgrade & Restart to perform the upgrade.
2. Click the click here to continue link when the Splunk Enterprise restart is complete.
Note: The Splunk App for PCI Compliance automatically enables SSL.
3. The PCI Compliance Install App should display a message like:
Splunk App for PCI Compliance is up to date. Current version (version:2.1.x, build:xxxx) is installed. You will be notified of future updates.
Do not remove or disable the PCI Compliance Install App.
Step 5. Set up and configure the app
After performing the upgrade, set up the app.
1. Click Splunk to go to Splunk Home.
2. Click the PCI Compliance app.
3. Click Continue to app setup page.
Note: If the upgrade is performed, and the setup procedure is not run, Splunk Enterprise might display errors on some dashboards.
4. Verify the settings on the Splunk App for PCI Compliance Setup page.
See the "Capacity Planning Manual".
5. Click Save. The PCI Compliance configure page appears.
See the "Steps to configure" in this manual for details on setting up the Splunk App for PCI Compliance.
Backup of the upgrade
The PCI Compliance Install App creates a backup of the Splunk App for PCI Compliance installation after the upgrade completes. The folder and ZIP file of the PCI Compliance installation are located at:
This file is located
Note: After completing the upgrade and restarting Splunk Enterprise, check various parts of the Splunk App for PCI Compliance to see if they are still working as expected.
Resolve warnings and conflicts
During an upgrade using the PCI Compliance Install App, you might encounter warnings and conflicts between your current installation and the newer version of the Splunk App for PCI Compliance.
The following sections describe the possible issues and the appropriate actions to resolve them.
Any warnings associated with your upgrade are shown on this tab. Use the examples in this section to resolve these upgrade warnings.
This custom navigation file prevents updates from being deployed with the new navigation. This custom file is renamed (to
default.xml.old) and disabled after the upgrade. Re-enable this custom navigation file to rollback the changes.
The latest version of the Splunk App for PCI Compliance includes major changes to app navigation. If you upgrade from another version, you have a pre-existing custom navigation for PCI Compliance, most likely an artifact of previous setup tasks that generate a custom, local navigation as a side effect.
If you did not make any customizations to your navigation, you can ignore this message. The install/upgrade disables the existing custom navigation and deploys the new one. If you have customizations you want to keep, continue with the upgrade. After the upgrade, the new navigation is used.
To retrieve your previous customizations, refer to the old navigation file, now located:
$SPLUNK_HOME/etc/apps/SplunkPCICompliance/local/data/ui/nav/default.xml.old. You need to manually map and add the earlier customizations into the new
default.xml navigation file.
Invalid Savedsearches.conf Attribute Settings
File: $SPLUNK_HOME/etc/apps/SA-NetworkProtection/local/aggregate.conf Network - Policy Or Configuration Change - Rule ==> duration :: -86400 - ERROR: 'duration' less than 1 second group_by :: - ERROR: 'group_by' cannot be empty
These conflicts apply to the detection and conversion of correlation search aggregation settings. These errors only apply to upgrades which used the correlation search aggregate framework, and correspond to invalid custom settings with that older framework. The change needed to fix each error is shown in the detected error message.
Network - Policy Or Configuration Change - Rule ==> duration :: -86400 - ERROR: 'duration' less than 1 second group_by :: - ERROR: 'group_by' cannot be empty
Errors show the correlation search stanzas and the offending settings for each. Possible errors include:
duration cannot be less than 1 second duration must be an integer group by cannot be empty
To resolve the issue, change the local values of settings in their respective stanzas, in the
/local/aggregate.conf file before proceeding with the upgrade. Click the recheck button after you make changes to the
aggregate.conf file to verify that the issue is resolved.
Local/Custom Savedsearch overwrites new default search
File: $SPLUNK_HOME/etc/apps/SA-EndpointProtection/local/savedsearches.conf Endpoint - Recurring Malware Infection - Rule ==> search :: `get_summary(endpoint_summary,Endpoint - All Malware - Summary Gen)` | search * | stats dc(date_mday) as day_count by dest,signature | search day_count>3 | localop | aggregate search="Endpoint - Recurring Malware Infection - Rule"
You can modify search strings in a saved searches local directory, but if the newer version of the app includes a fix/change in the same saved search, the local version prevents the new changes from taking effect. The searches detected here are specifically correlation searches and ones that have undergone conversion from the aggregate framework to the per-event-alerting framework.
Comment out the existing custom search string in your
/local directory. The new search string in the
/default stanza is used. To preserve the existing custom search string, you need to reconcile the differences between the existing search logic and the new analogous search string in the
Click Customizations to see what local customizations might be lost during the upgrade. This tab identifies local customizations in
.conf files in the Splunk App for PCI Compliance that might prevent new default content from taking effect. The Install App searches for modifications to configuration files in
local directories and displays any custom configuration conflicts that might occur with the newer version of the app.
Changes to configuration files should always be performed in an equivalent file within the
local sub-directory. User customizations made to
default objects are not saved and are overwritten during the app upgrade.
Warning: If you choose to move forward with the upgrade, the files listed are overwritten and any customizations are lost.
The Splunk configuration file layering system gives local
.conf settings precedence over default
.conf settings. If a setting's value changed in the new release and there is an existing local setting, this prevents new functionality or fixes.
The reporting hierarchy for
.conf files is as follows:
- removed file - modified file - removed stanza - modified stanza - removed attribute setting - modified attribute setting
This information is presented this way in the panel:
.conffiles different from latest default version
.confstanzas removed from latest default version
.confattributes different from latest default version
- TSIDX Conflicts
- Navigation Lite View Differences
Conflicting deprecated local .conf files
The detected local customized files that are deprecated from the latest release.
Remove these files because they no longer exist in
default. Examine the files to determine if anything needs to be backed up.
Conflicting Deprecated Local .conf Files file: SA-IdentityManagement/local/correlationsearches.conf
Conflicting modified local .conf files
The upgrade process can detect local configuration files that have stanza and attribute conflicts.
- Deprecated Stanzas: These stanzas no longer exist in the latest release. Remove this stanza from the 'local'
deprecated stanza(s): file: SA-EndpointProtection/local/savedsearches.conf > stanza: [Endpoint - Disk Tracker - Lookup Gen]
- Deprecated Attributes: These attributes no longer exist in the latest release. Remove this attribute from the 'local'
deprecated attribute(s): file: SA-CommonInformationModel/local/macros.conf > stanza: [cim_ids_types] attribute: errormsg
- Conflicting Attributes: The following attributes have updated default values in the latest release. Evaluate whether you want to keep your local customization. You can simply remove it and the default value overrides it.
conflicting attribute(s): file: SA-CommonInformationModel/local/macros.conf > stanza: [cim_ids_types] attribute: definition
Click Deprecated Apps to see any currently installed apps or add-ons, previously shipped with the Splunk App for PCI Compliance, that are deprecated in this release. Some deprecated apps are replaced with a newer app and others are simply left in place. Notes on this tab tell you what the installer will do with each of these apps.
The Default .conf tab shows any modified default configuration files or extension files that have been detected by the Install App.
- Detected Modified Configuration Files: These files have been modified from the original files shipped with the Splunk App for PCI Compliance. These files are overwritten during the installation. If you want to save the modified files, copy the files to an appropriate location (like the
localdirectory on your system).
Warning: If you chose to move forward with the upgrade, the modified configuration files listed are overwritten and any customizations are lost.
- Detected Extension Files: These files are new 'extension' files detected by the Install app. They will be unaffected by the upgrade.
Notable changes in the Splunk App for *Nix
Troubleshoot your deployment
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1