
About upgrading to 6.2 - READ THIS FIRST
This topic contains important information and tips about upgrading to version 6.2 from an earlier version. Read it before attempting to upgrade your Splunk environment.
Important: Not all Splunk apps and add-ons are compatible with Splunk Enterprise 6.2. If you are considering an upgrade to this release, visit Splunkbase to confirm that your apps are compatible with Splunk Enterprise 6.2.
Upgrade clustered environments
If you plan to upgrade a Splunk cluster, read "Upgrade your clustered deployment" in the Managing Indexers and Clusters Manual. The instructions in that topic supersede the upgrade material in this manual.
Important: All nodes of a clustered Splunk environment must run the same version of Splunk Enterprise. If you plan to upgrade your clustered environment, you must upgrade all nodes (including search heads, master nodes, and peer nodes) in the cluster at the same time.
Upgrade paths
Splunk Enterprise supports the following upgrade paths to Version 6.2 of the software:
- From version 5.0 or later to 6.2 on full Splunk Enterprise.
- From version 5.0 or later to 6.2 on Splunk universal forwarders.
If you run version 4.3 of Splunk Enterprise, upgrade to 6.0 first before attempting an upgrade to 6.2. Read "About upgrading to 6.0 - READ THIS FIRST" for specifics.
If you run a version of Splunk Enterprise prior to 4.3, upgrade to 5.0 first, then upgrade to 6.2. Read "About upgrading to 5.0 - READ THIS FIRST" for tips on migrating your instance to version 5.0.
You want to know this stuff
Upgrading to 6.2 from 5.0 and later is trivial, but here are a few things you should be aware of when installing the new version:
The splunkweb service has been incorporated into the splunkd service
The splunkweb
service, which handled all Splunk Web operations and sent requests to the splunkd
service, has been disabled. The splunkd
service now handles all Splunk Enterprise services in normal operation. On Windows, the splunkweb
service installs, but does not run. See "The Splunk Web service installs but does not run" in the "Windows-specific changes" section of this topic.
If needed, you can configure Splunk Enterprise to run in "legacy mode", where splunkweb
runs as a separate service. See "Start and stop Splunk Enterprise" in the Admin Manual.
Important: Do not run Splunk Web in legacy mode permanently. Use legacy mode to temporarily work around issues introduced by the new integration of the user interface with the main splunkd service. Once you correct the issues, return Splunk Web to normal mode as soon as possible.
Migration from search head pooling to search head clustering
If you want to migrate to search head clustering from a standalone search head, or from search head pooling, which has been deprecated, you must follow specific instructions and use new Splunk Enterprise instances for search head cluster members. See the following topics in the Distributed Search manual for more information on migrating to search head clustering:
New installed services open additional network ports
Splunk Enterprise installs and runs two new services: KV Store and App Server. This opens two network ports by default on the local machine: 8191 (for KV Store) and 8065 (for Appserver.) Make sure any firewall you run on the machine does not block these ports. The KV Store service also starts an additional process, mongod
. If needed, you can disable KV Store by editing server.conf
and changing the dbPath
attribute to a valid path on a file system that the Splunk Enterprise instance can reach. See "About the app key value store" in the Admin manual.
The new App Key Value Store service might increase disk space usage
The App Key Value Store (KV Store) service, which provides a way for you to maintain the state of your application by storing and retrieving data within it, might cause an increase in disk usage on the instance, depending on how many apps you run. You can change where the KV Store service puts its data by editing server.conf
, and you can restore data used by KV Store with the splunk clean
CLI command. See "About the app key value store" in the Admin manual.
Data block signing has been removed
Data block signing has been removed from Splunk Enterprise version 6.2. The feature has been deprecated for some time.
Make sure that the introspection directory has the correct permissions
If you run Splunk Enterprise on Linux as a non-root user, and use an RPM to upgrade, the RPM writes the $SPLUNK_HOME/var/log/introspection
directory as root. This can cause errors when you attempt to start the instance later. To prevent this, chown
the $SPLUNK_HOME/var/log/introspection
directory to the user that Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.
The Splunk DB Connect app can cause issues with data inputs
Due to a design flaw with version 1.1.4 of the Splunk DB Connect app, the "Forwarded Inputs" section of the "Data Inputs" page disappears if you upgrade a Splunk Enterprise instance with the app installed. To work around the problem, upgrade the app to version 1.1.5 before starting an upgrade.
New default values for some attributes can impact Splunk operations over SSL
There are new defaults which can possibly impact running Splunk Enterprise over SSL:
- The
supportSSLv3Only
attribute, which controls how Splunk Enterprise handles SSL clients, now has a default setting oftrue
. This means that only clients who can speak the SSL v3 protocol can connect to the Splunk Enterprise instance. - The
cipherSuite
attribute, which controls the encryption protocols that can be used during an SSL connection, now has a default setting ofTLSV1+HIGH:@STRENGTH
. This means that only clients that possess a Transport Layer Security (TLS) v1 cipher with a 'high' encryption suite can connect to a Splunk Enterprise instance.
Login page customization is no longer available
Login page customization is no longer available in 6.2. You can only modify the footer of the login page after an upgrade.
Windows-specific changes
New installation and upgrade procedures
The Windows version of Splunk Enterprise now has a more streamlined installation and upgrade workflow. The installer now assumes specific defaults (for new installations) and retains existing settings (for upgrades) by default. To make any changes from the default on installations, you must check the "Customize options" button. During upgrades, your only option is to accept the license agreement. See "Installation options."
The Splunk Web service installs but does not run
Beginning with Splunk Enterprise v6.2, the splunkd
service handles all Splunk Web operations. However, on Windows instances, the installer still installs the splunkweb
service, although the service quits immediately on launch when operating in normal mode. You can configure the service to run in legacy mode by changing a configuration parameter in web.conf
. See "Start Splunk Enterprise on Windows in legacy mode" in the Admin manual.
Important: Do not run Splunk Web in legacy mode permanently. Use legacy mode to temporarily work around issues introduced by the new integration of the user interface with the main splunkd service. Once you correct the issues, return Splunk Web to normal mode as soon as possible.
No support for search head clustering in Windows
The search head clustering feature is only available on Splunk Enterprise running on *nix hosts at this time. To use search head clustering, you must install *nix instances of Splunk Enterprise and configure search head clustering on those instances.
No support for enabling Federal Information Processing Standards (FIPS) after an upgrade
There is no supported upgrade path from a Splunk Enterprise system with enabled Secure Sockets Layer (SSL) certificates to a system with FIPS enabled. If you need to enable FIPS, you must do so on a new installation.
The default behavior for translating security identifiers (SID) and globally unique identifiers (GUID) when monitoring Windows Event Log data has changed
The etc_resolve_ad_obj
attribute, which controls whether or not Splunk Enterprise attempts to resolve SIDs and GUIDs when it monitors event log channels, is now disabled by default for all channels. When you upgrade, any inputs.conf
monitor stanzas that do not explicitly enable this attribute will no longer perform this translation.
Learn about known upgrade issues
To learn about any additional upgrade issues for Splunk Enterprise, see the "Known Issues - Upgrade Issues" page in the Release Notes.
PREVIOUS How to upgrade Splunk Enterprise |
NEXT How Splunk Web procedures have changed from version 5 to version 6 |
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8
Feedback submitted, thanks!