Splunk® Enterprise

Installation Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Upgrade to 5.0 on UNIX

This topic describes the procedure for upgrading your Splunk instance from version 4.0.x or later to 5.0.

Before you upgrade

Make sure you've read this information before proceeding, as well as the following:

Back your files up

Before you perform the upgrade, we strongly recommend that you back up all of your files, including Splunk configurations, indexed data, and binaries. Splunk does not provide a means of downgrading to previous versions; if you need to revert to an older Splunk release, just reinstall it.

For information on backing up data, read "Back up indexed data" in the Managing Indexers and Clusters Manual.

For information on backing up configurations, read "Back up configuration information" in the Admin manual.

How upgrading works

After performing the installation of the new version, Splunk does not actually make changes to your configuration until after you restart it. You can run the migration preview utility at that time to see what will be changed before the files are updated. If you choose to view the changes before proceeding, a file containing the changes that the upgrade script proposes to make is written to $SPLUNK_HOME/var/log/splunk/migration.log.<timestamp>

Steps for upgrading

1. Execute the $SPLUNK_HOME/bin/splunk stop command.

Important: Make sure no other processes will start Splunk automatically (such as Solaris SMF).

2. To upgrade and migrate from version 4.x and later, install the Splunk package over your existing Splunk deployment:

  • If you are using a .tar file, expand it into the same directory with the same ownership as your existing Splunk instance. This overwrites and replaces matching files but does not remove unique files.
    Note: AIX tar will fail to correctly overwrite files when run as a user other than root. Use GNU tar (gtar) to avoid this problem.
  • If you are using a package manager, such as RPM, type rpm -U splunk_package_name.rpm
  • If you are using a .dmg file (on Mac OS X), double-click it and follow the instructions. Be sure specify the same installation directory as your existing installation.

3. Execute the $SPLUNK_HOME/bin/splunk start command.

The following output is displayed:

This appears to be an upgrade of Splunk.
Splunk has detected an older version of Splunk installed on this machine. To
finish upgrading to the new version, Splunk's installer will automatically
update and alter your current configuration files. Deprecated configuration
files will be renamed with a .deprecated extension.
You can choose to preview the changes that will be made to your configuration
files before proceeding with the migration and upgrade:
If you want to migrate and upgrade without previewing the changes that will be
made to your existing configuration files, choose 'y'.
If you want to see what changes will be made before you proceed with the
upgrade, choose 'n'.
Perform migration and upgrade without previewing configuration changes? [y/n]

4. Choose whether you want to run the migration preview script to see what changes will be made to your existing configuration files, or proceed with the migration and upgrade right away.

5. If you choose to view the expected changes, the script provides a list.

6. Once you've reviewed these changes and are ready to proceed with migration and upgrade, run $SPLUNK_HOME/bin/splunk start again.

Note: You can complete Steps 3 to 5 in one line:

To accept the license and view the expected changes (answer 'n') before continuing the upgrade:

$SPLUNK_HOME/bin/splunk start --accept-license --answer-no

To accept the license and begin the upgrade without viewing the changes (answer 'y'):

$SPLUNK_HOME/bin/splunk start --accept-license --answer-yes
About upgrading to 5.0 READ THIS FIRST
Upgrade to 5.0 on Windows

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Hi Lakshman237,<br /><br />How you upgrade depends on what permissions the user that runs Splunk has. In your case, you would need to become the user who runs Splunk and then extract the zipped tar file directly over the existing directory. Attempting to upgrade over an existing installation without the appropriate permissions is not supported.<br /><br />To check the md5 of the zipped tarfile, you can use the digest command. The digest command is available in the SUNWcsu package.

Malmoore, Splunker
March 19, 2013

I have downloaed the splunk universalforwarder 5.0.2, splunkforwarder-5.0.2-149561-SunOS-sparc.tar.Z for solaris and placed it under /home/splunk. We already have 4.3.2 installed on /opt/splunkforwarder on the server. Howe do I extract the contents of 5.0.2 and add to /opt/splunkforwarder/? without using root account to place the file on /opt? also, how to check the md5sum on the *tar.Z file to ensure its correct?

March 19, 2013

Hi Adaucourt,<br /><br />Nice catch. To reduce confusion, I'll remove the "[--prefix]" argument. Rpm should be able to handle an in-place upgrade without needing to use --prefix.

Malmoore, Splunker
February 22, 2013

It could be an error of perception but utilizing the above instructions:<br />If you are using a package manager, such as RPM, type rpm -U [--prefix ] splunk_package_name.rpm<br /><br />You could end up making a serious error and installing to /opt/splunk/splunk instead of installing to /opt/splunk. For most the default and current location is in fact /opt/splunk and you find out the hard way the installation occurs in the wrong directory

February 14, 2013

Do we need to update the agents too ? or they are compatible with v5.0

November 26, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters