Splunk® Enterprise

Installation Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About upgrading to 5.0 READ THIS FIRST

This topic contains some important information and tips that you should read about when migrating to version 5.0 from an earlier version.

For information about issues that customers have reported while upgrading, see the "Known issues" topic in the Release Notes.

You want to know this stuff

Upgrading to 5.0 from 4.2 and later is pretty simple, but here are a few tips:

The working directory for the inputcsv, outputcsv, and streamedcsv search commands has changed

The working directory for the inputcsv, outputcsv, and streamedcsv search commands has changed. When you execute these search commands after an upgrade, Splunk Enterprise stores and reads the files they create in $SPLUNK_HOME/var/run/splunk/csv, rather than $SPLUNK_HOME/var/run/splunk.

The upgrade process moves any existing working files to the new directory and logs the following message to migration.log:

Creating $SPLUNK_HOME/var/run/splunk/csv and moving inputcsv/outputcsv files into the created directory.

Note the following migration issues:

  • Apps, add-ons, or scripts that use the commands or that reference the old working directory could be negatively affected when you upgrade due to the changed directory location.
  • You must manually migrate any files that you use in conjunction with inputcsv that do not end with the .csv file extension, or that are in a subdirectory.
  • If you have a component that is external to Splunk Enterprise that uses the outputcsv command, you must manually update the paths of any files or scripts in that component that use the command.
  • Additionally, if the component contains files that outputcsv has generated, and those files either do not end in .csv or are in a subdirectory, you must migrate those files to the new working directory manually.

We have changed how Splunk handles invalid regular expressions in monitoring stanza filters

For versions 5.0.3 and later of Splunk, we've changed how Splunk deals with improperly formatted regular expressions in monitoring stanza filter attributes in inputs.conf.

If you supply an invalid regular expression for a filter attribute (for example, whitelist or blacklist) in a monitoring stanza, Splunk now ignores the entire stanza as being invalid, instead of ignoring only the filter attribute with the invalid regular expression. This means that Splunk will not monitor whatever data that stanza references until you fix the error and restart Splunk. Here's an example:

whitelist = unclosed[class

This stanza is invalid because the whitelist attribute has an invalid value assigned to it (the "unclosed[class" regular expression is missing the right bracket (])).

In version 5.0.2 and earlier, Splunk monitors the files in /a/directory while ignoring the whitelist attribute.

TailingProcessor - Ignoring regular expression 'your_regex' in stanza 'your_stanza' due to 'error_message'.

In version 5.0.3 and later, Splunk ignores the [monitor:///a/directory] stanza, logs an error in splunkd.log, and does not monitor the files in /a/directory:

TailingProcessor - Invalid regular expression: 'your_regex' in stanza 'your_stanza' due to: error_message, ignoring this stanza.

When you upgrade, Splunk warns you of any invalid regular expressions it detects, and prompts you to fix them before attempting to complete the migration. To prevent this warning from occurring, check inputs.conf to ensure that all your monitoring stanzas have valid values before starting the upgrade.

We have removed the deployment monitor from the Splunk installation package

The deployment monitor is no longer a part of the Splunk installation package. Starting with version 5.0, the deployment monitor is now available as a downloadable app from Splunkbase.

If you use the deployment monitor, you should not be impacted by this change when you upgrade. However, be sure to double check your configuration to ensure that the app works as desired after the upgrade is complete.

We have removed multicast distributed search peer discovery

We've removed multicast distributed search peer discovery. Starting with version 5.0, you must now configure distributed search peers explicitly with SSL security. The following attributes in distsearch.conf are no longer valid:

  • heartbeatFrequency
  • blacklistNames
  • blacklistURLs
  • heartbeatMcastAddr
  • heartbeatPort
  • ttl
  • autoAddServers
  • skipOurselves

We have deprecated the fschange monitor

We have deprecated the fschange monitor input. While it continues to function in version 5.0 of Splunk, it might be removed in a future version.

We have deprecated several REST endpoints and a Python SDK function

For version 5.0 of Splunk, we have deprecated some representational state transfer (REST) endpoints, as well as a Python SDK function. While they continue to work in this release, they might be removed entirely in a future release. Read "Deprecated features" in the Release Notes for specifics.

The Windows performance monitoring input is now modular

The performance monitoring inputs for Windows now use the new modular input type. When you upgrade, Splunk replaces the existing scripted input with the new modular input. During the migration, Splunk saves the existing perfmon.conf file and renames it to perfmon.conf.migrated. It then copies the inputs defined in that file and places them into inputs.conf under similarly-named stanzas.

This has major impact for users who use the Splunk App for Microsoft Exchange and the Splunk App for Active Directory. Those apps use performance monitoring inputs extensively. If you use either of these apps, we suggest that you do not upgrade the apps until compatible versions are released.

For additional information on what a modular input is, read "Modular inputs overview" in the Developing Views and Apps for Splunk Web Manual.

Active Directory monitoring time formats have changed

The time stamp format that Splunk's Active Directory monitoring input logs in has changed. In Splunk 5.0 and later, AD monitoring inputs log events as follows:

pwdLastSet=07:03.12 pm, Mon 04/30/2012

If you use Active Directory monitoring inputs, you might be impacted by this change after you upgrade, particularly if you have configured alerts that rely on the old time stamp format.

Viewstates do not persist during the upgrade

If you make a change to a view state (such as adjusting the number of items to show per page in the flash timeline) and then upgrade Splunk, Splunk does not preserve the view state through the upgrade, and the default view loads when you use the upgraded version.

This is because Splunk assigns each view state a module ID, which changes when you modify the view state's XML (by modifying the view).

Forwarding method now defaults to auto-loadbalancing

Splunk 5.0 now makes auto-load balancing the default method of forwarding data to multiple indexers at one time.

When you upgrade, any forwarding configurations (outputs.conf) which do not explicitly have the autoLB attribute set to false will operate under the new method. If you do not desire this, you must explicitly add autoLB=false to the appropriate stanza(s) in outputs.conf.

Splunk now offers integrated PDF printing

With version 5.0 of Splunk comes integrated PDF printing. This means that PDF printing no longer requires a Linux Splunk instance.

There are some things to pay attention to when upgrading, however - particularly with regards to views that contain Advanced XML. Additional information is found in "Upgrade PDF printing for Splunk Web" in this manual.

Splunk uses more Unix file descriptors

Splunk 5.0 uses more file descriptors on Unix filesystems than version 4.3 did when monitoring files.

Before you upgrade, consider increasing the number of open file descriptors your system can use with the ulimit command.

Splunk's database-checking utility might use more resources

After you upgrade to 5.0, Splunk's database consistency checking utility (fsck) might use more system resources (in particular, disk I/O) when they run, particularly if bloom filters are being created at the same time.

The configuration location for globally unique identifiers (GUIDs) has changed

We've changed the location for the configuration of GUIDs for Splunk instances. In Splunk 5.0, instead of setting the GUID in server.conf, you must now set it in instance.cfg.

How to upgrade Splunk
Upgrade to 5.0 on UNIX

This documentation applies to the following versions of Splunk® Enterprise: 5.0.15, 5.0.16, 5.0.17, 5.0.18

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters