About upgrading to 5.0 READ THIS FIRST
This topic contains some important information and tips that you should read about when migrating to version 5.0 from an earlier version.
For information about issues that customers have reported while upgrading, see the "Known issues" topic in the Release Notes.
You want to know this stuff
Upgrading to 5.0 from 4.2 and later is pretty simple, but here are a few tips:
The working directory for the inputcsv, outputcsv, and streamedcsv search commands has changed
The working directory for the
streamedcsv search commands has changed. When you execute these search commands after an upgrade, Splunk Enterprise stores and reads the files they create in
$SPLUNK_HOME/var/run/splunk/csv, rather than
The upgrade process moves any existing working files to the new directory and logs the following message to
Creating $SPLUNK_HOME/var/run/splunk/csv and moving inputcsv/outputcsv files into the created directory.
Note the following migration issues:
- Apps, add-ons, or scripts that use the commands or that reference the old working directory could be negatively affected when you upgrade due to the changed directory location.
- You must manually migrate any files that you use in conjunction with
inputcsvthat do not end with the
.csvfile extension, or that are in a subdirectory.
- If you have a component that is external to Splunk Enterprise that uses the
outputcsvcommand, you must manually update the paths of any files or scripts in that component that use the command.
- Additionally, if the component contains files that
outputcsvhas generated, and those files either do not end in
.csvor are in a subdirectory, you must migrate those files to the new working directory manually.
We have changed how Splunk handles invalid regular expressions in monitoring stanza filters
For versions 5.0.3 and later of Splunk, we've changed how Splunk deals with improperly formatted regular expressions in monitoring stanza filter attributes in
If you supply an invalid regular expression for a filter attribute (for example,
blacklist) in a monitoring stanza, Splunk now ignores the entire stanza as being invalid, instead of ignoring only the filter attribute with the invalid regular expression. This means that Splunk will not monitor whatever data that stanza references until you fix the error and restart Splunk. Here's an example:
[monitor:///a/directory] whitelist = unclosed[class
This stanza is invalid because the
whitelist attribute has an invalid value assigned to it (the "
unclosed[class" regular expression is missing the right bracket (
In version 5.0.2 and earlier, Splunk monitors the files in
/a/directory while ignoring the
TailingProcessor - Ignoring regular expression 'your_regex' in stanza 'your_stanza' due to 'error_message'.
In version 5.0.3 and later, Splunk ignores the
[monitor:///a/directory] stanza, logs an error in
splunkd.log, and does not monitor the files in
TailingProcessor - Invalid regular expression: 'your_regex' in stanza 'your_stanza' due to: error_message, ignoring this stanza.
When you upgrade, Splunk warns you of any invalid regular expressions it detects, and prompts you to fix them before attempting to complete the migration. To prevent this warning from occurring, check
inputs.conf to ensure that all your monitoring stanzas have valid values before starting the upgrade.
We have removed the deployment monitor from the Splunk installation package
The deployment monitor is no longer a part of the Splunk installation package. Starting with version 5.0, the deployment monitor is now available as a downloadable app from Splunkbase.
If you use the deployment monitor, you should not be impacted by this change when you upgrade. However, be sure to double check your configuration to ensure that the app works as desired after the upgrade is complete.
We have removed multicast distributed search peer discovery
We've removed multicast distributed search peer discovery. Starting with version 5.0, you must now configure distributed search peers explicitly with SSL security. The following attributes in
distsearch.conf are no longer valid:
We have deprecated the fschange monitor
We have deprecated the fschange monitor input. While it continues to function in version 5.0 of Splunk, it might be removed in a future version.
We have deprecated several REST endpoints and a Python SDK function
For version 5.0 of Splunk, we have deprecated some representational state transfer (REST) endpoints, as well as a Python SDK function. While they continue to work in this release, they might be removed entirely in a future release. Read "Deprecated features" in the Release Notes for specifics.
The Windows performance monitoring input is now modular
The performance monitoring inputs for Windows now use the new modular input type. When you upgrade, Splunk replaces the existing scripted input with the new modular input. During the migration, Splunk saves the existing
perfmon.conf file and renames it to
perfmon.conf.migrated. It then copies the inputs defined in that file and places them into
inputs.conf under similarly-named stanzas.
This has major impact for users who use the Splunk App for Microsoft Exchange and the Splunk App for Active Directory. Those apps use performance monitoring inputs extensively. If you use either of these apps, we suggest that you do not upgrade the apps until compatible versions are released.
For additional information on what a modular input is, read "Modular inputs overview" in the Developing Views and Apps for Splunk Web Manual.
Active Directory monitoring time formats have changed
The time stamp format that Splunk's Active Directory monitoring input logs in has changed. In Splunk 5.0 and later, AD monitoring inputs log events as follows:
pwdLastSet=07:03.12 pm, Mon 04/30/2012
If you use Active Directory monitoring inputs, you might be impacted by this change after you upgrade, particularly if you have configured alerts that rely on the old time stamp format.
Viewstates do not persist during the upgrade
If you make a change to a view state (such as adjusting the number of items to show per page in the flash timeline) and then upgrade Splunk, Splunk does not preserve the view state through the upgrade, and the default view loads when you use the upgraded version.
This is because Splunk assigns each view state a module ID, which changes when you modify the view state's XML (by modifying the view).
Forwarding method now defaults to auto-loadbalancing
Splunk 5.0 now makes auto-load balancing the default method of forwarding data to multiple indexers at one time.
When you upgrade, any forwarding configurations (
outputs.conf) which do not explicitly have the
autoLB attribute set to
false will operate under the new method. If you do not desire this, you must explicitly add
autoLB=false to the appropriate stanza(s) in
Splunk now offers integrated PDF printing
With version 5.0 of Splunk comes integrated PDF printing. This means that PDF printing no longer requires a Linux Splunk instance.
There are some things to pay attention to when upgrading, however - particularly with regards to views that contain Advanced XML. Additional information is found in "Upgrade PDF printing for Splunk Web" in this manual.
Splunk uses more Unix file descriptors
Splunk 5.0 uses more file descriptors on Unix filesystems than version 4.3 did when monitoring files.
Before you upgrade, consider increasing the number of open file descriptors your system can use with the
Splunk's database-checking utility might use more resources
After you upgrade to 5.0, Splunk's database consistency checking utility (fsck) might use more system resources (in particular, disk I/O) when they run, particularly if bloom filters are being created at the same time.
The configuration location for globally unique identifiers (GUIDs) has changed
We've changed the location for the configuration of GUIDs for Splunk instances. In Splunk 5.0, instead of setting the GUID in
server.conf, you must now set it in
How to upgrade Splunk
Upgrade to 5.0 on UNIX
This documentation applies to the following versions of Splunk® Enterprise: 5.0.15, 5.0.16, 5.0.17, 5.0.18