Splunk® Enterprise

Installation Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About upgrading to 6.2 - READ THIS FIRST

This topic contains important information and tips about upgrading to version 6.2 from an earlier version. Read it before attempting to upgrade your Splunk environment.

Important: Not all Splunk apps and add-ons are compatible with Splunk Enterprise 6.2. If you are considering an upgrade to this release, visit Splunkbase to confirm that your apps are compatible with Splunk Enterprise 6.2.

Upgrade clustered environments

If you plan to upgrade a Splunk cluster, read "Upgrade your clustered deployment" in the Managing Indexers and Clusters Manual. The instructions in that topic supersede the upgrade material in this manual.

Important: All nodes of a clustered Splunk environment must run the same version of Splunk Enterprise. If you plan to upgrade your clustered environment, you must upgrade all nodes (including search heads, master nodes, and peer nodes) in the cluster at the same time.

Upgrade paths

Splunk Enterprise supports the following upgrade paths to Version 6.2 of the software:

  • From version 5.0 or later to 6.2 on full Splunk Enterprise.
  • From version 5.0 or later to 6.2 on Splunk universal forwarders.

If you run version 4.3 of Splunk Enterprise, upgrade to 6.0 first before attempting an upgrade to 6.2. Read "About upgrading to 6.0 - READ THIS FIRST" for specifics.

If you run a version of Splunk Enterprise prior to 4.3, upgrade to 5.0 first, then upgrade to 6.2. Read "About upgrading to 5.0 - READ THIS FIRST" for tips on migrating your instance to version 5.0.

You want to know this stuff

Upgrading to 6.2 from 5.0 and later is trivial, but here are a few things you should be aware of when installing the new version:

The working directory for the inputcsv, outputcsv, and streamedcsv search commands has changed

The working directory for the inputcsv, outputcsv, and streamedcsv search commands has changed. When you execute these search commands after an upgrade, Splunk Enterprise stores and reads the files they create in $SPLUNK_HOME/var/run/splunk/csv, rather than $SPLUNK_HOME/var/run/splunk.

The upgrade process moves any existing working files to the new directory and logs the following message to migration.log:

Creating $SPLUNK_HOME/var/run/splunk/csv and moving inputcsv/outputcsv files into the created directory.

Note the following migration issues:

  • Apps, add-ons, or scripts that use the commands or that reference the old working directory could be negatively affected when you upgrade due to the changed directory location.
  • You must manually migrate any files that you use in conjunction with inputcsv that do not end with the .csv file extension, or that are in a subdirectory.
  • If you have a component that is external to Splunk Enterprise that uses the outputcsv command, you must manually update the paths of any files or scripts in that component that use the command.
  • Additionally, if the component contains files that outputcsv has generated, and those files either do not end in .csv or are in a subdirectory, you must migrate those files to the new working directory manually.

The splunkweb service has been incorporated into the splunkd service

The splunkweb service, which handled all Splunk Web operations and sent requests to the splunkd service, has been disabled. The splunkd service now handles all Splunk Enterprise services in normal operation. On Windows, the splunkweb service installs, but does not run. See "The Splunk Web service installs but does not run" in the "Windows-specific changes" section of this topic.

If needed, you can configure Splunk Enterprise to run in "legacy mode", where splunkweb runs as a separate service. See "Start and stop Splunk Enterprise."

Important: Do not run Splunk Web in legacy mode permanently. Use legacy mode to temporarily work around issues introduced by the new integration of the user interface with the main splunkd service. Once you correct the issues, return Splunk Web to normal mode as soon as possible.

Migration from search head pooling to search head clustering

If you want to migrate to search head clustering from a standalone search head, or from search head pooling, which has been deprecated, you must follow specific instructions and use new Splunk Enterprise instances for search head cluster members. See the following topics in the Distributed Search manual for more information on migrating to search head clustering:

New installed services open additional network ports

Splunk Enterprise installs and runs two new services: KV Store and App Server. This opens two network ports by default on the local machine: 8191 (for KV Store) and 8065 (for Appserver.) Make sure any firewall you run on the machine does not block these ports. The KV Store service also starts an additional process, mongod. If needed, you can disable KV Store by editing server.conf and changing the dbPath attribute to a valid path on a file system that the Splunk Enterprise instance can reach. See "About the app key value store" in the Admin manual.

The new App Key Value Store service might increase disk space usage

The App Key Value Store (KV Store) service, which provides a way for you to maintain the state of your application by storing and retrieving data within it, might cause an increase in disk usage on the instance, depending on how many apps you run. You can change where the KV Store service puts its data by editing server.conf, and you can restore data used by KV Store with the splunk clean CLI command. See "About the app key value store" in the Admin manual.

Data block signing has been removed

Data block signing has been removed from Splunk Enterprise version 6.2. The feature has been deprecated for some time.

Make sure that the introspection directory has the correct permissions

If you run Splunk Enterprise on Linux as a non-root user, and use an RPM to upgrade, the RPM writes the $SPLUNK_HOME/var/log/introspection directory as root. This can cause errors when you attempt to start the instance later. To prevent this, chown the $SPLUNK_HOME/var/log/introspection directory to the user that Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.

The Splunk DB Connect app can cause issues with data inputs

Due to a design flaw with version 1.1.4 of the Splunk DB Connect app, the "Forwarded Inputs" section of the "Data Inputs" page disappears if you upgrade a Splunk Enterprise instance with the app installed. To work around the problem, upgrade the app to version 1.1.5 before starting an upgrade.

New default values for some attributes can impact Splunk operations over SSL

There are new defaults which can possibly impact running Splunk Enterprise over SSL:

  • The supportSSLv3Only attribute, which controls how Splunk Enterprise handles SSL clients, now has a default setting of true. This means that only clients who can speak the SSL v3 protocol can connect to the Splunk Enterprise instance.
  • The cipherSuite attribute, which controls the encryption protocols that can be used during an SSL connection, now has a default setting of TLSV1+HIGH:@STRENGTH. This means that only clients that possess a Transport Layer Security (TLS) v1 cipher with a 'high' encryption suite can connect to a Splunk Enterprise instance.

Login page customization is no longer available

Login page customization is no longer available in 6.2. You can only modify the header and footer of the login page after an upgrade.

Windows-specific changes

New installation and upgrade procedures

The Windows version of Splunk Enterprise now has a more streamlined installation and upgrade workflow. The installer now assumes specific defaults (for new installations) and retains existing settings (for upgrades) by default. To make any changes from the default on installations, you must check the "Customize options" button. During upgrades, your only option is to accept the license agreement. See "Installation options."

The Splunk Web service installs but does not run

Beginning with Splunk Enterprise v6.2, the splunkd service handles all Splunk Web operations. However, on Windows instances, the installer still installs the splunkweb service, although the service quits immediately on launch when operating in normal mode. You can configure the service to run in legacy mode by changing a configuration parameter in web.conf. See "Start Splunk Enterprise on Windows in legacy mode" in the Admin manual.

Important: Do not run Splunk Web in legacy mode permanently. Use legacy mode to temporarily work around issues introduced by the new integration of the user interface with the main splunkd service. Once you correct the issues, return Splunk Web to normal mode as soon as possible.

No support for search head clustering in Windows

The search head clustering feature is only available on Splunk Enterprise running on *nix hosts at this time. To use search head clustering, you must install *nix instances of Splunk Enterprise and configure search head clustering on those instances.

No support for enabling Federal Information Processing Standards (FIPS) after an upgrade

There is no supported upgrade path from a Splunk Enterprise system with enabled Secure Sockets Layer (SSL) certificates to a system with FIPS enabled. If you need to enable FIPS, you must do so on a new installation.

The default behavior for translating security identifiers (SID) and globally unique identifiers (GUID) when monitoring Windows Event Log data has changed

The etc_resolve_ad_obj attribute, which controls whether or not Splunk Enterprise attempts to resolve SIDs and GUIDs when it monitors event log channels, is now disabled by default for all channels. When you upgrade, any inputs.conf monitor stanzas that do not explicitly enable this attribute will no longer perform this translation.

Learn about known upgrade issues

To learn about any additional upgrade issues for Splunk Enterprise, see the "Known Issues - Upgrade Issues" page in the Release Notes.

Last modified on 30 March, 2016
How to upgrade Splunk Enterprise
How Splunk Web procedures have changed from version 5 to version 6

This documentation applies to the following versions of Splunk® Enterprise: 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters