Splunk® App for PCI Compliance

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Upgrade the Splunk App for PCI Compliance

This topic describes how to upgrade an installed version of the Splunk App for PCI Compliance version 3.0 or later to the latest release.

To review the migration steps for a 2.x version of the Splunk App for PCI Compliance, see the instructions in Upgrade Splunk App for PCI Compliance in the version 3.0.x Installation and Upgrade Manual.

Order of operations for upgrading

  1. Review the planning topic.
  2. Upgrade Splunk platform instances.
  3. If installing the Splunk App for PCI Compliance (for Splunk Enterprise Security), upgrade the Splunk Enterprise Security search head instance. See Planning an upgrade of Splunk Enterprise Security in the Splunk Enterprise Security Installation and Upgrade Manual.
  4. Download the Splunk App for PCI Compliance.
  5. Install the latest version of the Splunk App for PCI Compliance.
  6. Set up the Splunk App for PCI Compliance.
  7. Validate the upgrade.
  8. Review, upgrade, and deploy add-ons.

To install the Splunk App for PCI Compliance on a search head cluster, see Upgrade Splunk App for PCI Compliance on a search head cluster.

Review the planning topic

Review the planning topic and back up your system before you upgrade.

  1. See Plan the upgrade in this manual.
  2. Perform a full backup of the search head or your single instance deployment.

Download the Splunk App for PCI Compliance

Obtain the new version of the Splunk App for PCI Compliance.

  1. Download the version of the Splunk App for PCI Compliance that you are upgrading.
    1. Splunk App for PCI Compliance (for Splunk Enterprise).
    2. Splunk App for PCI Compliance (for Splunk Enterprise Security).
  2. Download the app and save the product file to your desktop.
  3. Log in to the PCI instance or search head as an administrator.

Install the latest version of the Splunk App for PCI Compliance

  1. On the Splunk platform search page, select Apps > Manage Apps and select Install App from File.
  2. Select Upgrade app to start the upgrade.
  3. Select Choose File and browse to the Splunk App for PCI Compliance product file.
  4. Click Upload to begin the installation.
  5. Select Set up now to begin the Splunk App for PCI Compliance setup.

Run the setup procedure promptly after the upload completes. If the setup procedure is not run promptly after the upload completes, errors display in the Splunk App for PCI Compliance.

Set up the Splunk App for PCI Compliance

  1. Select Start.
  2. The Splunk App for PCI Compliance Post-Install Configuration page indicates the upgrade status as it moves through the stages of installation.
  3. Choose to exclude selected add-ons from being installed, or install and disable them. When the setup is done, the page will prompt you to restart Splunk platform services.
  4. Select Restart Splunk to finish the installation.

Validate the upgrade

The Splunk App for PCI Compliance upgrade process is now complete. Objects disabled during the upgrade process will automatically be enabled. Validate success of the upgrade.

  1. On the Splunk App for PCI Compliance menu bar, Select Audit > ES Configuration Health.
  2. Select a version of 4.0.x to match the 3.0.x version of the Splunk App for PCI Compliance that you are upgrading from. For example, if you are upgrading from Splunk App for PCI Compliance version 3.0.2, select 4.0.2 as your previous version.
  3. Review potential conflicts and changes to the default settings. For more information, see ES Configuration Health in the Splunk Enterprise Security User Manual.

Enable notable actions for correlations searches post upgrade

When you upgrade the Splunk App for PCI compliance, notable actions for some correlation searches that are available in Splunk Enterprise Security may be disabled. If you want these correlation searches to generate notables, you must re-enable the notable actions for the correlation searches in Splunk Enterprise Security.

For more information on how to re-enable the notable actions for Splunk Enterprise Security, see Enable notables for correlation searches in the Splunk Enterprise Security Admin Manual.

Upgrade Splunk App for PCI Compliance on a search head cluster

Upgrade the Splunk App for PCI Compliance (for Splunk Enterprise) on a search head cluster. Review the instructions before beginning the upgrade.

Prerequisites

Upgrade Splunk platform on all search head instances as required. For more information on upgrading the Splunk platform instances that make up a search head cluster, see Upgrade a search head cluster in the Distributed Search Manual.

Prepare a staging instance

The staging instance is used to compare the deployer's copy of the Splunk App for PCI Compliance with the latest release. If you have a clean testing or QA instance in your environment, you may use that instance for staging the upgrade if no other apps are installed.

  1. Prepare a single instance of Splunk Enterprise to use for staging an upgrade. This instance is for staging only, and should not connect to indexers or search peers.
  2. Copy the Splunk App for PCI Compliance (for Splunk Enterprise) installation from the deployer instance path $SPLUNK_HOME/etc/shcluster/apps to the staging instance path $SPLUNK_HOME/etc/apps. The deployer's copy of the Splunk App for PCI Compliance represents the prior release, and includes configuration settings that are deployed to the search head cluster. It does not include the runtime knowledge object changes replicated between the search head cluster nodes.

Upgrade staging to the latest version of the Splunk App for PCI Compliance

Follow the upgrade steps.

  1. Review the planning topic.
  2. Download the Splunk App for PCI Compliance.
  3. Install the latest version of the Splunk App for PCI Compliance.
  4. Set up the Splunk App for PCI Compliance.
  5. Validate the upgrade

After the upgrade is complete, reconcile customized configurations.

  1. Reconcile configurations and settings in the deployed version of the Splunk App for PCI Compliance with the latest release.
  2. Remove deprecated apps and add-ons. The upgrade process automatically disables deprecated apps and add-ons and displays an alert in Messages on the staging instance to identify the deprecated items.

Migrate the upgraded instance to the deployer

Migrate the upgraded contents from the staging instance to the deployer and deploy the upgraded version to the search head cluster members.

  1. On the staging instance, copy $SPLUNK_HOME/etc/apps to $SPLUNK_HOME/etc/shcluster/apps on the deployer.
  2. On the deployer, remove any deprecated apps or add-ons in $SPLUNK_HOME/etc/shcluster/apps that were noted during the upgrade on staging.

Deploy the changes to the cluster members

On the deployer, deploy the Splunk App for PCI Compliance while retaining lookup file content created on the cluster members. Use the preserve-lookups true switch. See Maintain lookup files across app upgrades in the Splunk Enterprise Distributed Search Manual.

Validate the configuration on the search cluster

After the deployer distributes the upgraded version of the Splunk App for PCI Compliance to the search head cluster members, compare the cluster-replicated knowledge objects to the latest Splunk App for PCI Compliance installation.

  1. On each search head cluster member, open the Splunk App for PCI Compliance and select Audit > ES Configuration Health.
  2. Select a version of 4.x.x to match whichever version of Splunk App for PCI Compliance 3.x.x you are upgrading from.
  3. Review any changes.

Migrate an existing search head to a search cluster

A Splunk App for PCI Compliance installation on a single instance or search head pool member cannot be added to a search head cluster.

Migrate Splunk App for PCI Compliance configurations to a search head cluster.

  1. Identify any custom configurations and modifications in the previous Splunk App for PCI Compliance installation.
  2. Implement a new search head cluster.
  3. Deploy the latest version of the Splunk App for PCI Compliance on the search head cluster.
  4. Review and migrate the customized configurations to the search head cluster deployer for replication to the cluster members.
  5. Shut down the old Splunk App for PCI Compliance search head.

For more information on settings migration, see Migrate from a standalone search head to a search head cluster in the Splunk Enterprise Distributed Search Manual.

For assistance in planning a Splunk App for PCI Compliance deployment migration, contact the Splunk Professional Services team.

Last modified on 04 November, 2020
Plan the upgrade   Troubleshoot your deployment

This documentation applies to the following versions of Splunk® App for PCI Compliance: 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters