Splunk® Enterprise

Installation Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

About upgrading to 6.6 READ THIS FIRST

Here are some changes in Splunk Enterprise behavior to note when you upgrade an existing instance to version 6.6.

Review this topic before starting an upgrade to any components. It contains important upgrade considerations and information on product updates that could affect you when you upgrade to this version.

Changes that can potentially break Splunk Enterprise installations

The following information can keep you from breaking your installation when you upgrade it. Before you start downloading software, review this list to prevent problems during the upgrade process that could result in unexpected downtime.

  • Do not upgrade indexer clusters in-place. See the upgrade instructions for indexer clusters.
  • Do not upgrade search head clusters in-place. See the upgrade instructions for search head clusters.
  • Due to changes in SSL ciphers, older versions of universal forwarder might start having communication problems after an upgrade. Either upgrade the forwarders to the latest version or confirm that SSL ciphers on forwarders and indexers match. See Upgrade issues in the Release Notes for instructions.
  • Stop Splunk Enterprise before backing up App Key Value Store databases.

During-upgrade occurrences that appear to be problems but are normal

  • On indexers, memory and CPU usage will increase due to the following:
    • New data ingestion pipelines
    • Data model acceleration summary rebuilds, while rebuilds are in progress
  • Permissions on the Splunk Enterprise introspection directory might change. Confirm that the user that runs Splunk Enterprise has write permission to the $SPLUNK_HOME/var/log/introspection directory.
  • Deployment servers might push updates to all deployment clients due to app bundle hash recalculations.

Considerations for features that have been changed for or removed from this version

  • Support for the Linux second extended file system (ext2) was removed. Before you upgrade Splunk Enterprise, upgrade your filesystem to one that Splunk Enterprise supports. See System requirements for the list.
  • The deployment monitor app was removed. Use Monitoring Console instead.

Considerations for new features that have been added to this version

  • App Key Value Store requires that you open additional network ports for it to function. By default, it uses TCP ports 8065 and 8191. See About app key value store for more information.

Other changes to Splunk Enterprise product behavior

This section categorizes the following categories of general product behavior changes:

  • Those that apply specifically to version 6.6
  • Those that apply to versions that you can directly upgrade to version 6.6. This includes versions 6.0, 6.1, 6.2, 6.3, 6.4, and 6.5. These changes include the version in which the change was originally made in their descriptions

If you upgrade from a version that cannot be directly upgraded to version 6.6 to an intermediate version that can be, the behavior changes for that intermediate version apply after you upgrade. When you complete the upgrade to version 6.6, all of the behavior changes in this topic apply.

Customers who run version 6.4.7 of Splunk Enterprise might reintroduce software defects by upgrading to version 6.6.0 or 6.6.1

Some defects that Splunk fixed in version 6.4.7 are not yet fixed in version 6.6.0 or 6.6.1. If you run version 6.4.7 of Splunk Enterprise, you might reintroduce those defects by upgrading to version 6.6.0 or 6.6.1.

Consider waiting for version 6.6.2 to arrive before upgrading from version 6.4.7.

This notice applies only to customers that run version 6.4.7 and want to upgrade to version 6.6.0 or 6.6.1. It does not apply to those who run version 5.x or any other version of 6.x.

A new load-balancing scheme for forwarders is available

As of version 6.6 of Splunk Enterprise, all forwarder types now have a new scheme for balancing load between receiving indexers.

In addition to balancing load by time, they can also balance load by amount of data sent. The autoLBVolume setting in outputs.conf controls this setting.

See Choose a load balancing method in Forwarding Data for additional information.

Connectivity over SSL between version 6.6 and version 5.0 and earlier is disabled by default

Because of changes to the security ciphers in version 6.6 of Splunk Enterprise, instances of Splunk software that run on version 5.0 or less cannot connect to instances of version 6.6 or greater by default.

When you upgrade, any instances that run version 5.0 or earlier will no longer communicate with the upgraded instance over SSL. To work around the problem, edit inputs.conf and outputs.conf on the sending instances to enable ciphers that allow communication between the instances.

For more information, see the Known Issues - Upgrade Issues page in the Release Notes.

Data model acceleration sizes on disk might appear to increase

If you have created and accelerated a custom data model, the size that Splunk software reports it as being on disk has increased.

When you upgrade, data model acceleration summary sizes can appear to increase by a factor of up to two to one. This apparent increase in disk usage is the result of a refactoring of how Splunk software calculates data model acceleration summary disk usage. The calculation that Splunk software performs in version 6.6 is more accurate than in previous versions.

The number of potential data model acceleration searches has increased

The default number of concurrent searches that are used for data model acceleration has been increased from two to three.

If you have an environment that uses a number of data models, and those models have not yet been accelerated, Splunk software might run up to three searches to accelerate the data models. This can result in increased CPU, memory, and disk usage on the search heads that are accelerating the data models and can also cause more concurrent searches overall in an environment where the search heads are not clustered.

Security changes in SSL and TLS could affect customers who use LDAP

If you have configured Splunk software to use the Lightweight Directory Access Protocol (LDAP) to authenticate, after an upgrade, changes in security settings for Secure Sockets Layer (SSL) and Transport Layer Security (TLS) could prevent the software from connecting to the LDAP server.

If that occurs, you can roll back the updated settings by doing the following:

  1. Open $SPLUNK_HOME/etc/openldap/ldap.conf for editing with a text editor.
  2. Comment the lines that begin with the following:
  3. Save the ldap.conf file and close it.
  4. Restart Splunk software.

The 'autoLB' universal forwarder setting in outputs.conf is no longer configurable

The autoLB setting, which controls how universal forwarders send data to indexers, and which only had a valid setting of true, has been locked to that value. Since auto-loadbalancing is the only way that forwarders can send data, there is no longer a reason to make that setting configurable. Universal forwarders will now ignore attempts to configure the setting to anything other than true.

You might notice an error about a bad configuration for autoLB during the startup check. You can safely ignore this error.

The 'compressed' settings on a forwarder and a receiving indexer no longer must match for the instances to communicate

Forwarders and indexers now auto-negotiate their connections. After an upgrade, it is no longer necessary for you to confirm that the compressed setting in an outputs.conf stanza on the forwarder matches the corresponding compressed setting in a splunktcp:// stanza in inputs.conf on the receiver for the forwarder-receiver connection to work.

Indexers in a distributed Splunk environment now respect the INDEXED setting in fields.conf on search heads only

To better align with documented best practice, the way that indexers handle the INDEXED setting in fields.conf has changed.

Indexers now respect the setting as it has been configured on search heads only. When you upgrade, if you have only configured this setting in fields.conf on indexers, you must configure it on the search heads if it is not there.

Use different settings for better data distribution between indexers in a load-balanced forwarder configuration

If you have setup where universal forwarders have been configured to send data to indexers in a load-balanced scheme, you should replace configurations that have forceTimeBasedAutoLB with those that use EVENT_BREAKER_ENABLE and EVENT_BREAKER instead. For more information about these new settings, see Configure load balancing for Splunk Enterprise in the Universal Forwarder manual.

Protection for the '/server/info' REST endpoint is now on by default

In version 6.5 of Splunk Enterprise, a setting was introduced to require authentication to access the server/info REST endpoint.

After you upgrade, this protection will be enabled by default.

Memory usage on indexers increases during indexing operations

(Originally introduced in version 6.5)

When you upgrade to version 6.6 of Splunk Enterprise, the amount of memory that indexers use during indexing operations increases. If you have configured an indexer with parallelization (multiple indexing pipelines), the usage increase can be significant.

Indexers that have been configured with a single indexing pipeline (which is the default for a Splunk Enterprise installation) see memory usage increases of up to 10%. Indexers that have two pipeline sets see increases of up to 15%. Indexers that have been configured with four indexing pipelines see increases of up to 25%.

Confirm that your indexers meet or exceed the minimum hardware specifications that the Capacity Planning manual details before you perform an upgrade. See Reference hardware for memory details for each host.

The free version of Splunk now includes App Key Value Store

(Originally introduced in version 6.5)

When you upgrade to version 6.6 of Splunk Enterprise, the free version of Splunk Enterprise gets access to the App Key Value Store feature.

This change results in processes running on your host that support App Key Value Store. These processes might result in extra memory or disk space usage.

The instrumentation feature adds a new internal index and can increase disk space usage

(Originally introduced in version 6.5)

The instrumentation feature of Splunk Enterprise, which lets you share Splunk Enterprise performance statistics with Splunk after you opt in, includes a new internal index which can cause disk space usage to rise on hosts that you upgrade. You can opt out of sharing performance data by following the instructions at Share performance data in the Admin Manual.

Distributed search now defaults to a single protocol

(Originally introduced in version 6.4)

In an effort to reduce the potential of problems when search heads connect to search peers, several settings have been added or changed in distsearch.conf that control this process.

  • The trySSLFirst setting no longer has any meaning in the context of search head-to-search peer connections.
  • A new setting defaultUriScheme controls what protocol search heads use to connect to search peers, and can be configured to http or https. This setting acts as the default connection scheme for any peers that you add to a search head after you configure the setting.

After you upgrade, review distsearch.conf to confirm that the file has been updated with the new variables.

Certain JSChart limits have been increased which might reduce performance in older browsers

(Originally introduced in version 6.5)

The number of series, results, and data points that a JSChart chart element can display have been increased.

The number of series has doubled from 50 to 100. The number of results that can be displayed has increased from 1000 to 10,000. And the number of total data points has increased from 20,000 to 50,000.

If you have not already changed the defaults for these JSChart elements, then you will see more data points on your JSChart elements after an upgrade. If you use an older browser to interact with Splunk Enterprise, you might also see slightly reduced performance.

A new capability 'deleteIndexesAllowed' has been added that inhibits index deletion

(Originally introduced in version 6.5)

A new user capability has been added that requires non-administrator user roles to hold it before they can delete indexes. After you upgrade, you must assign this capability to any non-administrator user roles before they can delete any indexes.

User roles must also have the "delete_by_keyword" capability.

Migration time might increase significantly if there are a large number of data model or report acceleration summaries

(Originally introduced in version 6.4)

When you upgrade to version 6.6 of Splunk Enterprise, the software generates checksums for data model and report acceleration summaries as part of the migration. This action is for better compatibility with indexes on indexer clusters, but happens on all deployments. If your deployment has a large number of existing data model or report acceleration summaries, the checksum generation process might take a long time. Splunk Enterprise generates entries in migration.log during the process:

Generating checksums for datamodel and report acceleration bucket summaries for all indexes.
If you have defined many indexes and summaries, summary checksum generation may take a long time.
Processed 1000 out of 10007 configured indexes.
Processed 2000 out of 10007 configured indexes.
Processed 10000 out of 10007 configured indexes.
Finished generating checksums for datamodel and report acceleration bucket summaries for all indexes.

The working directory for the inputcsv, outputcsv, and streamedcsv search commands has changed

(Originally introduced in version 6.4)

The working directory for the inputcsv, outputcsv, and streamedcsv search commands has changed. When you execute these search commands after an upgrade, Splunk Enterprise stores and reads the files they create in $SPLUNK_HOME/var/run/splunk/csv, rather than $SPLUNK_HOME/var/run/splunk.

The upgrade process moves any existing working files to the new directory and logs the following message to migration.log:

Creating $SPLUNK_HOME/var/run/splunk/csv and moving inputcsv/outputcsv files into the created directory.

Note the following migration issues:

  • Apps, add-ons, or scripts that use the commands or that reference the old working directory could be negatively affected when you upgrade due to the changed directory location.
  • You must manually migrate any files that you use in conjunction with inputcsv that do not end with the .csv file extension, or that are in a subdirectory.
  • If you have a component that is external to Splunk Enterprise that uses the outputcsv command, you must manually update the paths of any files or scripts in that component that use the command.
  • Additionally, if the component contains files that outputcsv has generated, and those files either do not end in .csv or are in a subdirectory, you must migrate those files to the new working directory manually.

Search commands that exist only in a user context will no longer execute

(Originally introduced in version 6.4)

If you have any search commands that run in the context of a specific Splunk Enterprise user (meaning that the commands have been defined in a commands.conf only for that user, for example, $SPLUNK_HOME/etc/users/alice/local/commands.conf), those commands will no longer be available for execution after you upgrade.

To fix the problem, move the command configurations to either the app level (put the configurations into $SPLUNK_HOME/etc/apps/<app_name>/local/commands.conf) or the system level ($SPLUNK_HOME/etc/system/local/commands.conf).

Confirm that the introspection directory has the correct permissions

(Originally introduced in version 6.4)

If you run Splunk Enterprise on Linux as a non-root user, and use an RPM to upgrade, the RPM writes the $SPLUNK_HOME/var/log/introspection directory as root. This can cause errors when you attempt to start the instance later. To prevent this, chown the $SPLUNK_HOME/var/log/introspection directory to the user that Splunk Enterprise runs as after upgrading and before restarting Splunk Enterprise.

The Splunk Web visualizations editor changes take precedence over existing 'rangemap' configurations for single-value visualizations

(Originally introduced in version 6.4)

If you use the rangemap search command to define ranges and colors for single-value visualizations on dashboards, use the Format editor instead when you upgrade. Changes that you make with the Format editor to these visualizations override the rangemap configurations. Going forward, generate new single value visualizations by using a query that does not contain the rangemap command, and then use the Format editor to configure ranges, colors, or any additional settings.

Any changes that you make with the editor to single-value visualizations that were generated with = rangemap override edits that you make to the range map command. Additionally, while the editor attempts to preserve the existing configuration, it no longer recognizes rangemap as a valid command to generate these types of visualizations.

Splunk Enterprise now limits the addition of search peers with a large time skew

(Originally introduced in version 6.4)

When you upgrade to Splunk Enterprise 6.6, you will no longer be able to use Splunk Web to add search peers with a time skew of more than 10 minutes from the search head where you add the peers.

You can change this setting by editing limits.conf on the search head and setting the addpeer_skew_limit to a positive integer that is lower than its default of 600 (seconds).

Splunk Enterprise support for running multiple searches on a single process could increase memory usage

(Originally introduced in version 6.4)

As of version 6.6, Splunk Enterprise can launch multiple searches on a single process on *nix hosts.

When you upgrade, you should see improved search performance, but you might also see increased memory usage.

This change is not applicable on Windows instances of Splunk Enterprise.

Support for the Deployment Monitor app has been removed

(Originally introduced in version 6.3)

Support for the Splunk Deployment Monitor App has been removed. When you upgrade to Splunk Enterprise 6.6, use the monitoring console instead to monitor your distributed deployment. See Monitoring Splunk Enterprise.

Data block signing has been removed

(Originally introduced in version 6.3)

Data block signing has been removed from Splunk Enterprise.

Accelerated custom data model summaries will rebuild on upgrade

(Originally introduced in version 6.3, can happen on upgrades from 6.3)

)When you upgrade to Splunk Enterprise 6.6, any accelerated custom data model summaries that are present on the instance - such as those created by the Splunk App for Enterprise Security - will be rebuilt. This is because of optimizations to data model searches that have been made, which make the searches incompatible with previously generated summaries.

During the rebuild process, CPU, memory, and disk I/O usage on indexers with the summaries will increase significantly. Searches that rely on those data model summaries will be very slow and might not work fully.

If you need to prevent Splunk Enterprise from automatically rebuilding these summaries on upgrade, make the following changes to your Splunk Enterprise configuration before starting an upgrade:

In datamodels.conf:

acceleration.manual_rebuilds = true

In limits.conf:

allow_old_summaries = true

There is now a limit on the number of learned source types

(Originally introduced in version 6.3)

For all versions of Splunk Enterprise, the number of source types that an instance can learn in the process of monitoring and indexing files has been limited.

To reduce instances where CPU and memory usage spiked during such operations, a new attribute that controls how many source types an instance learns when it monitors files and analyzes file contents has been created. The limit is 1000, and you can change this setting by editing the following attribute in limits.conf and restarting Splunk Enterprise:

learned_sourcetypes_limit = <number>

While this setting should prevent memory and CPU spikes, continue to use props.conf and inputs.conf to define and apply source types.

Parallel summarization for data model summaries has been enabled

(Originally introduced in version 6.3)

The number of searches that the Splunk platform runs at a time to generate summary files for data models has changed.

When you upgrade to Splunk Enterprise 6.6, the software runs two concurrent search jobs to generate the summary files, instead of one. This change is called "parallel summarization." It might result in an increase in CPU and memory usage on the instance that contains the data models while the search jobs run, but results in faster availability of data model summaries.

You can change this setting back to the previous default for individual data models. See Parallel summarization in the Knowledge Manager Manual.

You must now enable access to Splunk Enterprise debugging endpoints

(Originally introduced in version 6.3)

Splunk Enterprise used to allow access to debugging endpoints by default. This is no longer the case. When you upgrade, you won't be able to access the debugging endpoints until you make a change in web.conf and restart Splunk Enterprise:

enableWebDebug = true

Migration from search head pooling to search head clustering

If you want to migrate to search head clustering from a standalone search head, or from search head pooling, which has been deprecated, you must follow specific instructions and use new Splunk Enterprise instances for search head cluster members. See the following topics in the Distributed Search manual for more information on migrating to search head clustering:

Search head clusters now respect user- and role-based search quotas

(Originally introduced in version 6.3)

When you upgrade to Splunk Enterprise 6.6, any search head clusters that you have deployed will respect and enforce search quotas that are in place for users and roles. This might result in some searches not executing, depending on the number of concurrent searches that are active. To defeat this feature, set the following attributes in limits.conf:

shc_role_quota_enforcement = false
shc_local_quota_check = true

The App Key Value Store service might increase disk space usage

(Originally introduced in version 6.2)

The App Key Value Store (or KV Store) service, which provides a way for you to maintain the state of your application by storing and retrieving data within it, might cause an increase in disk usage on the instance, depending on how many apps you run. You can change where the KV Store service puts its data by editing server.conf, and you can restore data used by KV Store with the splunk clean CLI command. See About the app key value store in the Admin manual.

Splunk Enterprise now identifies search commands that could negatively impact performance

In an effort to improve security and performance, some Search Processing Language (SPL) commands have been tagged with a variable that prompts Splunk Enterprise to warn you about performance impact when you use them in a search query. After an upgrade, you might see a warning message that a search that you run has commands that might have risky side effects.

Results for unaccelerated data models now match results from accelerated data models

(Originally introduced in version 6.2)

The way that unaccelerated data models query indexes for events has changed.

These models now query all indexes, rather than just the default index. This means that the number of results you see for unaccelerated data models should now match the number of results you see for accelerated data models.

After you upgrade, you might see more results for an unaccelerated data model than you did prior to upgrading.

New installed services open additional network ports

(Originally introduced in version 6.2)

Splunk Enterprise installs and runs two additional services: App Key Value Store and App Server. This opens two network ports by default on the local machine: 8065 (for App Server) and 8191 (for App Key Value Store.) Confirm that no firewall block these ports. The App Key Value Store service also starts an additional process, mongod. If needed, you can disable App Key Value Store by editing server.conf and changing the dbPath attribute to a valid path on a file system that the Splunk Enterprise instance can reach. See About the app key value store in the Admin manual.

Formatting for single-value visualizations has changed

(Originally introduced in version 6.3)

The formatting for single-value visualizations has changed in that these visualizations have been redesigned to be as readable as possible from a distance. When you upgrade, dashboards that use these visualizations might be impacted by very large letters or numbers.

To work around the problem, you can either:

  • Make use of the new time context if you show a numeric value that you can query over time.
  • Use Simple XML to reduce the single value panel height from its default of 115 pixels. Or,
  • Replace the single value panel with a custom HTML panel.

See this post on Splunk Answers for additional information prior to upgrading.

New default values for some attributes can impact Splunk operations over SSL

(Originally introduced in version 6.3)

There are new defaults which can possibly impact running Splunk Enterprise over SSL:

  • The supportSSLv3Only attribute, which controls how Splunk Enterprise handles SSL clients, now has a default setting of true. This means that only clients who can speak the SSL v3 protocol can connect to the Splunk Enterprise instance.
  • The cipherSuite attribute, which controls the encryption protocols that can be used during an SSL connection, now has a default setting of TLSV1+HIGH:@STRENGTH. This means that only clients that possess a Transport Layer Security (TLS) v1 cipher with a 'high' encryption suite can connect to a Splunk Enterprise instance.

Login page customization has changed

Login page customization has changed as of version 6.6 of Splunk Enterprise. To learn how the new customization process works, see Customize the login page in Developing Views and Apps for Splunk Web.

Indexer cluster maintenance mode behavior change

Maintenance mode now persists across master restarts. You must explicitly disable maintenance mode when you no longer need it. See Use maintenance mode in the Managing Indexers and Clusters manual.

Windows-specific changes

The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cipher suites in version 6.6 are not supported on Windows Server 2008 R2

The TLS and SSL cipher suites that come with version 6.6 of Splunk Enterprise do not support Windows Server 2008 R2 by default. If you upgrade, and you used SSL and TLS to handle forwarder-to-indexer communication or alert actions, those actions will not work until you make updates to both Windows and Splunk Enterprise configurations.

See About TLS encryption and cipher suites for instructions on how to configure Windows Server 2008 R2 and Splunk Enterprise to use the new cipher suites.

The Windows Event Log monitoring input has improved performance, new settings, and changes in behavior

The Windows Event Log monitoring input now has improved performance. Owing to improved efficiencies in how the input retrieves and processes events, it provides up to twice the performance as previous versions. To improve performance further, several new input settings have been added. Also, the input now respects the checkpointInterval setting in an Event Log monitoring stanza. For additional information about the changes, see Monitor Windows Event Log data in Getting Data In.

Before you upgrade:

  • Review your Event Log monitoring input stanzas and confirm that the checkpointInterval setting is a reasonable one (meaning, you have not set it to something very large.) Large settings might result in a large number of duplicate events after Splunk Enterprise restarts from a crash. If you have not already set checkpointInterval then you do not need to set it now.
  • Confirm that the machines that retrieve Windows Event Log data meet or exceed the minimum requirements as described in the system requirements page in this manual. In particular, if the timely arrival of Event Log events is critical for your organization, any machines that use the input must conform with those requirements.

Splunk does not expect any other impacts to occur as a result of an upgrade.

The Windows universal forwarder installation package no longer includes the Splunk Add-on for Windows

(Originally introduced in version 6.5)

The installation package for the universal forwarder no longer includes the Splunk Add-on for Windows. If you need to use the add-on, you must download and install it separately.

The installer does not delete existing installations of the add-on.

Support for Internet Explorer versions 9 and 10 has been removed

(Originally introduced in version 6.5)

Microsoft has announced that support for all versions of Internet Explorer below version 11 has ended as of January 12, 2016. Owing to that announcement, Splunk has ended support for Splunk Web for these same versions. This might result in a suboptimal browsing experience in earlier versions of Internet Explorer.

When you upgrade, you should also upgrade the version of Internet Explorer that you use to 11 or later. An alternative is to use another browser that Splunk supports.

The Windows host monitoring input no longer monitors application state

(Originally introduced in version 6.3)

The Windows host monitor input has been modified to no longer monitor the state of installed applications.

Due to a bug in the system call that Splunk Enterprise uses to monitor application state, the Windows Installer service attempts to reconfigure all installed applications.

When you upgrade, any Windows host monitoring input stanzas that reference the "Application" attribute no longer function. The host monitoring input continues to function with other host monitoring stanza types that you have defined.

To get application state data, use the Windows Event Log monitor and search for Event ID Nos. 11707 (for installation) or 11724 (for uninstallation/removal.) You can also use a PowerShell script or the Windows Management Instrumentation Command-line tool (WMIC) as follows:

  • PowerShell: Get-WmiObject -Class Win32_Product | Format-List -Property Name,InstallDate,InstallLocation,PackageCache,Vendor,Version,IdentifyingNum
  • WMIC: wmic product get name,version,installdate

New installation and upgrade procedures

(Originally introduced in version 6.2)

The Windows version of Splunk Enterprise has a more streamlined installation and upgrade workflow. The installer now assumes specific defaults (for new installations) and retains existing settings (for upgrades) by default. To make any changes from the default on installations, you must check the "Customize options" button. During upgrades, your only option is to accept the license agreement. See Installation options."

Changes have been made to support more granular authorization for Windows inputs

(Originally introduced in version 6.4)

Splunk Enterprise has been updated to allow for more control when using Windows inputs like Network Monitoring and Host Monitoring. If you use Splunk Enterprise as a user with a role that does not inherit from other roles, it is possible that the user might not be able to access certain Windows inputs.

The Splunk Web service installs but does not run

(Originally introduced in version 6.2)

The splunkd service handles all Splunk Web operations. However, on Windows instances, the installer still installs the splunkweb service, although the service quits immediately on launch when operating in normal mode. You can configure the service to run in legacy mode by changing a configuration parameter in web.conf. See Start Splunk Enterprise on Windows in legacy mode in the Admin manual.

Do not run Splunk Web in legacy mode permanently. Use legacy mode to temporarily work around issues introduced by the new integration of the user interface with the main splunkd service. After you correct the issues, return Splunk Web to normal mode as soon as possible.

No support for enabling Federal Information Processing Standards (FIPS) after an upgrade

There is no supported upgrade path from a Splunk Enterprise system with enabled Secure Sockets Layer (SSL) certificates to a system with FIPS enabled. If you need to enable FIPS, you must do so on a new installation.

The default behavior for translating security identifiers (SID) and globally unique identifiers (GUIDs) when monitoring Windows Event Log data has changed

(Originally introduced in version 6.2)

The etc_resolve_ad_obj attribute, which controls whether or not Splunk Enterprise attempts to resolve SIDs and GUIDs when it monitors event log channels, is now disabled by default for all channels. When you upgrade, any inputs.conf monitor stanzas that do not explicitly define this attribute will no longer perform this translation.

Learn about known upgrade issues

To learn about any additional upgrade issues for Splunk Enterprise, see the Known Issues - Upgrade Issues page in the Release Notes.

Last modified on 04 June, 2019
How to upgrade Splunk Enterprise
How to upgrade a distributed Splunk Enterprise environment

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters