How to upgrade Splunk Enterprise
The process of upgrading a single Splunk Enterprise instance is straightforward. In many cases, you upgrade the software by installing the latest package over your existing installation. When you upgrade on Windows systems, the installer package detects the version that you have previously installed and offers to upgrade it for you.
The process of upgrading a distributed or clustered Splunk Enterprise deployment differs based on the type of deployment and whether or not the instance hosts various Splunk apps and add-ons.
If the Splunk Enterprise instance or deployment that you want to upgrade has one or more premium Splunk apps installed, such as Splunk IT Service Intelligence, Enterprise Security, or User Behavior Analytics, you might need to plan your upgrade sequence and target version levels to maintain version compatibility with the premium apps, depending on your business needs. The Splunk Products version compatibility matrix shows which specific versions of Splunk Enterprise are compatible and supported with Splunk premium apps.
In any case, you must upgrade Splunk Enterprise with an operating system account that satisfies the following requirements:
- The account has administrative privileges on the machine where you perform the upgrade, and
- The account can write to the instance directory and all of its subdirectories.
What's new and awesome in 6.6?
See Meet Splunk Enterprise 6.6 in the Release Notes for a full list of the new features that are available in version 6.6.
See the known issues in the Release Notes for a list of issues and workarounds in this release.
See the About upgrading to 6.6: READ THIS FIRST page for important information that you need to know before starting the upgrade process.
Upgrade paths to version 6.6
The following table describes the upgrade paths that are available to version 6.6 from previous versions of Splunk Enterprise.
Find the version you currently run in the leftmost column and read across to determine the upgrade path for that version. If your version does not appear in the leftmost column, then there is no supported upgrade path to the latest version. You must upgrade to a version that is in this list first.
|Your current version||First upgrade to||Then upgrade to||README link||Rel. Notes link|
|5.0.x||6.3.x||6.6||6.3 README||6.3 Rel. Notes|
|6.0.x||6.6||N/A||6.6 README||6.6 Rel. Notes|
|6.1.x||6.6||N/A||6.6 README||6.6 Rel. Notes|
|6.2.x||6.6||N/A||6.6 README||6.6 Rel. Notes|
|6.3.x||6.6||N/A||6.6 README||6.6 Rel. Notes|
|6.4.x||6.6||N/A||6.6 README||6.6 Rel. Notes|
|6.5.x||6.6||N/A||6.6 README||6.6 Rel. Notes|
Splunk Enterprise upgrade process
The Splunk Enterprise upgrade process consists of three phases:
- Phase 1: Back up and verify that components work as you expect
- Phase 2: Install updated components
- Phase 3: Confirm everything works after the upgrade
This process applies to upgrades of all Splunk Enterprise deployments. Depending on the kind of deployment you have, some steps might differ from what this page shows.
Phase 1: Back up and verify that components work as you expect
The following procedure catalogues the first phase of an upgrade to Splunk Enterprise. The specific steps you take to upgrade might differ slightly based on the size and kind of your Splunk Enterprise deployment and whether or not your deployment runs a premium Splunk app.
- Back up your existing deployment, including configurations and data. For more information about backing up your Splunk Enterprise deployment, see Back up configuration information in the Admin Manual and Back up indexed data in Managing Indexers and Clusters of Indexers.
- Validate your backups and confirm that they can be restored.
- Where applicable, use Monitoring Console to take a snapshot of the health of your existing Splunk Enterprise deployment.
- If you run a clustered Splunk Enterprise environment, confirm that the cluster is healthy.
- If you run a Splunk Enterprise license master machine, confirm that it is healthy, that all indexers successfully connect to it, and that all licenses are available for entry or exist on backup media.
- If you run a deployer on a search head cluster, confirm that it is healthy and can push configuration bundles to all SHC peers without problems.
- If you run a deployment server machine, confirm that it is healthy, that configurations reload successfully, an that all forwarders can connect to it.
- Review the forwarder-indexer compatibility matrix to confirm that all forwarders in your deployment work with the version of indexer to which you plan to upgrade. Older versions of forwarder might not be compatible due to various security cipher changes.
- For distributed deployments of any kind, confirm that all machines in the indexing tier satisfy the following conditions:
- They have sufficient disk space available for installation of the updated software
- They run basic searches without problems
- They do not run their own saved searches
- For distributed deployments of any kind, confirm that all machines in the search tier satisfy the following conditions:
- The version of Splunk Enterprise that you want to upgrade can run your apps, add-ons, and dashboards
- You have all security keys, configurations, and credentials available for possible reentry
- Searches do not fail because of incorrect authentication credentials
Phase 2: Install updated Splunk Enterprise components
After you complete the pre-upgrade steps, you can begin upgrading individual Splunk Enterprise components. Depending on your deployment, you might need to run additional steps, repeat some steps, or run multiple types of upgrade procedure.
- Read About upgrading to 6.6: READ THIS FIRST completely prior to starting any upgrade.
- If you run premium Splunk apps, see the Splunk Products version compatibility matrix to determine the versions of Splunk Enterprise that your apps support.
- Determine the kinds of upgrade you need to perform based on the environment you have.
- For distributed environments, follow the instructions at How to upgrade a distributed Splunk Enterprise environment.
- For clustered environments, see one of the following topics:
- For single instance deployments, follow the upgrade instructions for your operating system type:
- For universal forwarders, follow the upgrade instructions for your operating system type:
- During the upgrade, depending on the component that you upgrade, you might need to perform validation steps to ensure the upgrade is successful.
- On a cluster master node, you might need to run validation searches or use operating system tools to determine cluster master health and readiness to proceed to the next upgrade phase.
- On forwarders, you can use Monitoring Console to determine that data ingestion levels remain at pre-upgrade rates as forwarders come back online.
- On standalone indexers, you can run searches to determine that data ingestion and search participation occur normally.
- On clustered indexers, you can use Monitoring Console to determine that indexers come back online and appear as normal in the Clustering Status page.
Phase 3: Confirm everything works after the upgrade
After you complete the upgrade of Splunk Enterprise components, follow these steps to confirm that your upgrade was successful. As with the other phases, specific steps might differ slightly based on the number and kind of Splunk Enterprise components that you have in your deployment.
- Confirm that your Splunk apps and add-ons work like they did before the upgrade.
- If you have a distributed deployment, use Monitoring Console to verify all Splunk Enterprise components.
- Review resource utilization for all components and compare to what you benchmarked prior to the upgrade.
- Confirm all components are available.
- If you have a distributed deployment, confirm that the license master machine works properly and all indexers connect to it, like you did before the upgrade.
- If you have an clustered deployment, confirm that the cluster master operates normally and that cluster peers are connecting properly.
- If you have a distributed deployment, confirm that the search tier operates normally and that search and indexers communicate without problems
- If you have a search head cluster, use the Monitoring Console to verify SHC cluster state and individual cluster peer nodes.
- If you have an indexer cluster, confirm that all indexer cluster nodes reestablish communications with the cluster master.
Additional general upgrade information
Get and install the "no-enforcement" license
The "no-enforcement" license is standard on all new installations of Splunk Enterprise. If you want to use this license type after an upgrade, you must get and install it on your Splunk Enterprise instance separately. Your instance must run Splunk Enterprise 6.5.0 or later. If you have a distributed deployment, the Splunk Enterprise instance that acts as your license master must run 6.5.0 or later. You do not need to upgrade the rest of your deployment to 6.5.0 for a no-enforcement license to work. You must have a contract in good standing with Splunk to take advantage of this new license type.
For additional information about the new license, see Types of Splunk software licenses in the Admin Manual.
To enable the new license behavior:
- Upgrade your Splunk Enterprise environment (single instance or license master, at minimum) to 6.5.0 or later.
- Contact your sales representative, who will confirm your details and, along with Splunk Support, issue you a no-enforcement license key.
- Apply the key to your Splunk Enterprise instance or, in the case of a distributed deployment, your license master instance.
- Restart Splunk Enterprise on the individual host or license master for the new license to take effect.
Replace lost package manifest files
Splunk installation packages have manifest files that Splunk software needs to run. The manifest files exist in the root of the Splunk installation and end in
-manifest. If the files are not present (for example, if you have deleted them) then Splunk software cannot run as it can not verify that it is a valid installation.
If you delete those files in the process of upgrading, or for any reason, you can restore them with the following procedure:
- Download an identical copy of the Splunk installer that you downloaded previously. This copy must be the same version and architecture, as manifest files are specific to each version.
- Extract the files to a directory that is not your existing Splunk installation.
- Copy the files from this directory to the root directory of your Splunk installation.
- Start Splunk Enterprise and confirm that it starts normally.
Install a license
About upgrading to 6.6 READ THIS FIRST
This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12