Splunk® Enterprise

Installation Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About Upgrading to 6.1 - READ THIS FIRST

This topic contains important information and tips about upgrading to version 6.1 from an earlier version. Read it before attempting to upgrade your Splunk environment.

Important: Not all Splunk apps and add-ons are compatible with Splunk Enterprise 6.1. If you are considering an upgrade to this release, visit Splunk Apps to confirm that your apps are compatible with Splunk Enterprise 6.1.

Upgrade clustered environments

If you plan to upgrade a Splunk cluster, read "Upgrade your clustered deployment" in the Managing Indexers and Clusters Manual. The instructions in that topic supersede the upgrade material in this manual.

Important: All nodes of a clustered Splunk environment must run the same version of Splunk Enterprise. If you plan to upgrade your clustered environment, you must upgrade all nodes (including search heads, master nodes, and peer nodes) in the cluster at the same time.

Upgrade paths

Splunk Enterprise supports the following upgrade paths to Version 6.1 of the software:

  • From version 5.0 or later to 6.1 on full Splunk Enterprise.
  • From version 4.2 or later to 6.1 on Splunk universal forwarders.

If you run a version of Splunk Enterprise prior to 4.3, upgrade to 5.0 first, then upgrade to 6.1. Read "About upgrading to 5.0 - READ THIS FIRST" for tips on migrating your instance to version 5.0.

If you run version 4.3 of Splunk Enterprise, upgrade to 6.0 first before attempting an upgrade to 6.1. Read "About upgrading to 6.0 - READ THIS FIRST" for specifics.

You want to know this stuff

Upgrading to 6.1 from 5.0 and later is trivial, but here are a few things you should be aware of when installing the new version:

Make sure that the introspection directory has the correct permissions

If you run Splunk Enterprise on Linux as a non-root user, and use an RPM to upgrade, the RPM writes the $SPLUNK_HOME/var/log/introspection directory as root. This can cause errors when you attempt to start the instance later. To prevent this, chown the $SPLUNK_HOME/var/log/introspection directory to the user that Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.

The multi-tenant feature for deployment server has been removed

We have removed support for multi-tenant deployment server. When you upgrade, the deployment server clients in your environment will no longer update apps based on entries in tenants.conf.

Custom email alerts mean major changes for alert_actions.conf

A reworked email alert interface allows you to create custom email alerts and provides you many new attributes that you can set. If you use email alerts, review alert-actions.conf on your systems after the upgrade to ensure that alerts continue to work the way you expect. Some of the changes include:

  • The default email results format has changed from HTML to a table.
  • Attempting to set the format attribute in alert-actions.conf to plain no longer has any effect. Instead, Splunk Enterprise uses table as a value.
  • By default, all results in an email are inline:
    inline = 1 in alert_actions.conf.
  • Splunk Enterprise does not support customization to the sendemail.py script. This python script is not public and can change in future releases without notice. Changes to this script in Splunk Enterprise 6.1 break any customization you may have made in a prior release.

Read more about custom email alerts in the Email notification topic in the Alerting Manual. To see the updated values, read the alert_actions.conf spec file.

Splunk Enterprise parses JSON files by using INDEXED_EXTRACTIONS by default

When you use Splunk Enterprise to import a JSON file, it attempts to parse the file using the default parsing values as though you set INDEXED_EXTRACTIONS=json in props.conf.

Splunk Enterprise does not parse structured data that has been forwarded to an indexer

When you forward structured data to an indexer, Splunk Enterprise does not parse this data once it arrives at the indexer, even if you have configured props.conf on that indexer with INDEXED_EXTRACTIONS. Forwarded data skips the following queues on the indexer, which precludes any parsing of that data on the indexer:

  • parsing
  • aggregation
  • typing

The forwarded data must arrive at the indexer already parsed. To achieve this, you must also set up props.conf on the forwarder that sends the data. This includes configuration of INDEXED_EXTRACTIONS and any other parsing, filtering, anonymizing, and routing rules. Universal forwarders are capable of performing these tasks solely for structured data. See "Forward data extracted from header files".

New and updated attributes in limits.conf could increase disk and memory usage

We introduced and updated the behavior of some attributes in limits.conf:

  • The chunk_size attribute controls how many events Splunk Enterprise retrieves at once from a TSIDX file when it answers a query. The default value of 1000000 could result in increased overall memory usage and/or reduced performance. Changing the setting has impact on both memory usage and performance and is not recommended.
  • The file_tracking_db_threshold_mb attribute controls the size limit of the file tracking database - known as the fishbucket. When the database reaches the size specified by this attribute, Splunk Enterprise stops writing to that database and starts writing to a new database. When you upgrade, if this attribute does not exist in your environment, Splunk Enterprise determines the value for maxDataSize in the _thefishbucket stanza in indexes.conf and assigns this attribute that value in $SPLUNK_HOME/etc/system/local/limits.conf. This might increase the amount of disk space that the fishbucket uses at any given time.

The default maximum database sizes for summary indexing has changed

We increased the default amount of disk space that a summary index database can take from 100 to 1000 megabytes. When you upgrade, the change occurs in indexes.conf. This can result in additional disk space usage throughout the course of Splunk Enterprise operation.

New internal index can increase disk space usage

Splunk Enterprise 6.1 includes a new internal index, _introspection. This can result in increased disk usage on the system that performs indexing. Ensure that you have disk space and memory available on your indexing systems before upgrading.

Windows-specific changes

The Windows universal forwarder can now be run in "low-privilege" mode

The Splunk universal forwarder on the Windows platform can be configured to run as a user that does not have administrative rights on the server. To learn more about low-privilege mode and its benefits and potential caveats, read "Deploy a Windows universal forwarder via the installer GUI" or "Deploy a Windows universal forwarder via the command line" in the Forwarding manual.

The Windows Event Log input has additional filtering capabilities

The Windows event log input gets two new improvements:

  • The input, which until now had its own input processor, is now modular. This helps increase its efficiency and removes the limit of 64 concurrent Event Log channels. Since the Windows Event Log input already uses inputs.conf, there should be no impact to your configuration by this change. However, we suggest that you review any .conf files post-upgrade as a precautionary measure.
  • Additionally, the input receives several new attributes which allow you to filter events based on Windows Event IDs or regular expression text. It also allows you to suppress event log text from an event.

There are also certain situations where, if you use a deployment server to control configurations, some versions of universal forwarder might collect duplicate events. See "Upgrade deployment servers and installed apps that use 6.x stanzas might generate duplicate events" for additional information.

Upgraded deployment servers and installed apps that use 6.0 stanzas might generate duplicate events

In order to maintain interoperability, Splunk does not remove an old-style Windows Event Log stanza during an upgrade to version 6. Instead, it notifies you that you need to remove them yourself manually.

This is particularly important for deployment servers or universal forwarders that host apps that use 6.0 style configuration file stanzas. When you upgrade, if you do not remove the old-style stanzas, Splunk might generate duplicate events.

No support for enabling Federal Information Processing Standards (FIPS) after an upgrade

There is no supported upgrade path from a Splunk Enterprise system with enabled Secure Sockets Layer (SSL) certificates to a system with FIPS enabled. If you need to enable FIPS, you must do so on a new installation.

Learn about known upgrade issues

To learn about any additional upgrade issues for Splunk Enterprise, see the "Known Issues - Upgrade Issues" page in the Release Notes.

Last modified on 30 March, 2016
How to upgrade Splunk Enterprise
How Splunk Web procedures have changed from version 5 to version 6

This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters