Plan the upgrade
To plan your upgrade, you must be familiar with the Splunk App for PCI Compliance and have administrative knowledge of the Splunk platform.
Minimum requirements for upgrade
Before beginning the upgrade process, see "Known Issues" and "Release Notes" in the Release Notes to understand the new features and functionality. Also see the "Minimum recommended hardware requirements" in this manual.
Planning the upgrade
The Splunk App for PCI Compliance upgrade process assumes the following:
- You have an installation of PCI Compliance 2.1.x and the required add-ons on a dedicated search head or single-instance Splunk environment
- You are running Splunk Enterprise 6.0.1 or later on a supported Linux or Windows system
What to expect from the upgrade
The upgrade from PCI 2.1.x to PCI 3.0.x requires manual migration of custom configurations. Some information in PCI 2.1.x is not compatible with PCI 3.0.x.
Some historical status information will be lost.
- The upgrade process will migrate notable events associated with PCI, but will not migrate the historical statuses associated with the events. For example, if you have 50 notable events in the app, with 10 that have a status of closed and 20 with a status of in progress, after upgrading, all 50 notable events would have a status of new.
- Compliance status panels will not be accurate until they are repopulated with data. For example, the Compliance Status - Last 24 Hours panel will not contain an accurate status until 24 hours after the upgrade is complete. The Compliance Status History panel will not display data until five days after the upgrade.
- The PCI requirement 6 report will not be accurate until it is repopulated with data. For example, the Anomalous Update Service By System Count (Last 90 Days) panel will not contain an accurate count until 90 days after the upgrade is complete.
You will need to perform manual migration steps.
- Migrate custom app configurations.
- Migrate custom user configurations.
- Migrate custom csv files.
After the upgrade is complete, you will need to verify that your new configuration matches your old configuration. This includes:
- Updating any custom lookups you might have created.
- Verifying or updating any source type conversion or aliasing.
- Configuring new reports and scorecards for PCI compliance that did not exist before upgrading.
- Enabling the same correlation searches.
Note: Some lookups are now stored in the KV Store instead of in csv files. Some field names have changed, so the Splunk App for PCI Compliance 3.0.x will not be able to parse the information in the same way as before.
Configure Incident Workflow
Upgrade Splunk App for PCI Compliance
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5