Upgrade Splunk App for PCI Compliance

Upgrading the Splunk App for PCI Compliance from version 2.1.x to version 3.0.x is best performed with the assistance of Splunk Professional Services. Before upgrading, see What to expect from the upgrade in this manual. These upgrade procedures were tested for a migration from version 2.1.1 to version 3.0.x.

Upgrading a single-instance environment

If you use the Splunk App for PCI Compliance on a single server, follow these steps to upgrade your installation.

1. Set up a new Splunk 6.3.0 instance and install the Splunk App for PCI Compliance 3.0.x. See Install the Splunk App for PCI Compliance in this manual.
2. Stop services on the PCI 2.1.x instance.
3. Point all forwarders and data sources to the PCI 3.0.x instance.
4. Manually migrate custom data sources, app configurations, and user configurations from the PCI 2.1.x app. For example, you can migrate asset and identity lookups from PCI 2.1.x.
   1. Locate the assets.csv and identities.csv files in SA-IdentityManagement/lookups on your 2.1.x instance.
   2. Copy the files to the same location on your PCI 3.0.x instance.
   3. If present, do not migrate the assets_by_str.csv, assets_by_cidr.csv, or identities.expanded.csv files, as PCI 3.0.x will recreate them once you migrate the assets and identities lists.
5. Review all correlation searches used on PCI 2.1.x and enable them on the new PCI instance.
6. Verify that you can search historical data and that there is data in the Incident Review dashboard in the Splunk App for PCI Compliance.

Note: The PCI 3.0.x dashboards might be empty until data model accelerations complete. Use the Data Model Audit dashboard to review the acceleration status.

Upgrading a distributed environment

If you use the Splunk App for PCI Compliance in a distributed Splunk environment with a deployment server, follow these steps to upgrade your installation.

1. Upgrade your current indexers to Splunk 6.3.0, if they are not using that version already.
2. Set up a new Splunk 6.3.0 search head and install the Splunk App for PCI Compliance 3.0.x. See Install the Splunk App for PCI Compliance in this manual.
3. Stop services on the PCI 2.1.x search head.
4. Install PCI 3.0.x on the indexers.
5. Start the PCI 3.0.x search head and configure distributed search to the upgraded indexers.
6. Using the distributed configuration management tool, create the Splunk SA Forindexers app.
7. Reconcile the PCI add-ons and index settings on the indexers with the Splunk SA ForIndexers app. Deploy the changes to the indexers.
8. Manually migrate custom data sources, app configurations, and user configurations from the PCI 2.1.x app. For example, you can migrate asset and identity lookups from PCI 2.1.x.
   1. Locate the assets.csv and identities.csv files in SA-IdentityManagement/lookups on your 2.1.x search head.
   2. Copy the files to the same location on your PCI 3.0.x search head.
   3. If present, do not migrate the assets_by_str.csv, assets_by_cidr.csv, or identities.expanded.csv files, as PCI 3.0.x will recreate them once you migrate the assets and identities lists.
9. Review the correlation searches you used on PCI 2.1.x and enable them on the new PCI instance.
10. Verify that you can search historical data and that there is data in the Incident Review dashboard in the Splunk App for PCI Compliance.
11. Remove the old 2.1.x folders.

Note: Until the data model accelerations complete, the Splunk App for PCI Compliance dashboards might be empty. Use the Data Model Audit dashboard to review the acceleration status.