Splunk® Enterprise

Installation Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

About upgrading to 7.2 READ THIS FIRST

Consider upgrading to the latest version of Splunk Enterprise.
Support remains in effect until October 2020, but you can get the latest in performance enhancements, bug fixes, and features by upgrading to the latest version.

See the following documentation for more information:

Read this topic before you upgrade to learn important information and tips about the upgrade process to version 7.2 from a lower version.

Splunk App and Add-on Compatibility

Not all Splunk apps and add-ons are compatible with Splunk Enterprise version 7.2. Visit Splunkbase to confirm that your apps are compatible with Splunk Enterprise version 7.2.

If you use Enterprise Security version 5.0.x or lower, do not upgrade to Splunk Enterprise version 7.2. This version of Splunk Enterprise is not compatible with Splunk Enterprise Security versions 5.0.x and lower.

Upgrade clustered environments

To upgrade an indexer cluster, see Upgrade an indexer cluster in Managing Indexers and Clusters of Indexers. Those instructions supersede the upgrade material in this manual.

To upgrade a search head cluster, see Upgrade a search head cluster in Distributed Search. Those instructions supersede the upgrade material in this manual.

Upgrade paths

Splunk Enterprise supports the following upgrade paths to version 7.2 of the software:

  • From version 6.5 or higher to 7.2 on full Splunk Enterprise.
  • From version 6.5 or higher to 7.2 on Splunk universal forwarders.

If you run a version of Splunk Enterprise lower than 6.5:

  1. Upgrade from your current version to version 6.5.
  2. Upgrade to version 7.2.

See About upgrading to 6.5 - READ THIS FIRST for tips on migrating your instance to version 6.5.

Important upgrade information and changes

Here are some things that you should be aware of when installing the new version:

Significant tsidx performance improvements are turned off by default

Splunk Enterprise 7.2 introduces a change to the file format of tsidx index files, resulting in significant size reduction. The reduced file size leads to improved search performance through decreased I/O, improved utilization of SmartStore caches, and so on.

This change is beneficial under all circumstances. However, to upgrade multisite indexer clusters without search interruption, it is necessary to defer the format change until after the upgrade completes and all peer nodes can switch to the new format simultaneously. For this reason, Splunk Enterprise 7.2 ships with the feature turned off by default.

Turn this feature on, immediately after you complete your 7.2 upgrade.

To turn on the feature, edit indexes.conf on each indexer (or, in the case of indexer clusters, in the master node's configuration bundle). Set tsidxWritingLevel to 2. Make this change in the default section of the file, so that it applies to all indexes:


FIELDALIAS configurations behave differently with regard to the application of alias field names

When you upgrade to version 7.2 of Splunk Enterprise, the behavior of certain field alias configurations changes. This behavior affects events where the alias field is already present before field alias processing takes place.

  • If both the source field and the alias field are present in the event, the search head overwrites the value of the alias field to match the value of the source field.
  • If the alias field is present in the event but the source field is missing or has a null value, the search head removes the alias field from the event.

This is how field aliasing should work in these situations. However, you may have searches that rely on the old field alias behavior. A new ASNEW syntax has been added to enable you to provide the pre-7.2 behavior to your field alias configurations.

The pre-7.2 field alias behavior enabled users to create sets of field alias configurations that matched multiple source fields with one alias field. You can use the ASNEW syntax to continue doing this. A better practice would be to use a calculated field that uses the coalesce function to create a new field that takes the value of one or more existing fields. This method lets you be explicit about ordering of input field values in the case of null fields. For example: EVAL-ip = coalesce(clientip,ipaddress).

See Field alias behavior change in the Release Notes for further details.

Upgrades to App Key Value Store require database resynchronization in the event of a need to downgrade Splunk Enterprise

When you upgrade to version 7.2 of Splunk Enterprise, the database for App Key Value Store (also known as KV store) also gets upgraded. This can result in problems in a case where you need to downgrade from version 7.2 back to version 7.1.

If you need to downgrade Splunk Enterprise to version 7.1 or lower for any reason, then, before you start the downgrade, run the following command from a shell prompt or PowerShell window to resync KV Store for the lower version:

curl -u username:password -XPOST https://<splunk>:8089/services/kvstore/resync/resync?featureCompatibilityVersion=3.4

You must run this command before you commence downgrade activities on the instance.

To troubleshoot KV store issues during an upgrade or downgrade, see KV store messages in the Admin Manual.

Splunk Enterprise uses a new cipher suite and message authentication code for inter-Splunk communication

Splunk Enterprise 7.2 introduces a new cipher suite and message authentication code (MAC) that replaces the existing cipher suite that was responsible for securely handling inter-Splunk communications.

The new suite and MAC are not compatible with the old suite. Splunk instances that run version 7.2 and higher of Splunk software have been configured by default to allow inter-Splunk communication using both the new and old suites. However, if you later configure a 7.2 or higher instance to run only the new suite and MAC, inter-Splunk communication between versions that run only the old suite is not possible. You cannot configure lower versions of Splunk software to use the new suite.

For more information about the changes, see Configure secure inter-Splunk communications with updated cipher suite and message authentication code in Securing Splunk Enterprise.

The new Splunk credentials scheme might affect scripted upgrades

Splunk Enterprise 7.1 introduced a new password scheme for Splunk software users. In version 7.2, the scheme has been extended to let you customize administrator credential creation for Splunk Enterprise instances.

This scheme includes additional settings and configuration options, which can affect how you upgrade if you use scripts to automate the upgrade process. You might need to change your upgrade scripts before performing scripted upgrades. Specifically, confirm that you do not pass any illegal arguments to the Splunk CLI for starting or restarting Splunk Enterprise during the upgrade, as this could result in a situation where Splunk Enterprise does not start after the upgrade has completed.

The new Splunk credentials scheme might affect new scripted installations

While the software retains existing credentials during an upgrade, if you perform scripted installations, those installations might be affected significantly by the new credential scheme. You might need to modify your scripts before you perform scripted installations with version 7.2 and higher of the software. Carefully read the following topics to understand the updated installation process:

For more information on the updated password policy, see Password best practices for administrators.

Additionally, your Splunk administrator might introduce password eligibility requirements that affect you if you change your password after an upgrade. See Configure Splunk password policies in Securing Splunk Enterprise for additional information.

The Splunk Web user interface has been updated significantly

Splunk Web has been refreshed with a new, improved look. While many user interface controls remain the same as they were in previous versions, the interface looks different than before, and some items have been relocated. This might cause confusion for those who have become accustomed to the previous interface.

Support for the ext2 (second extended) file system on Linux has been removed

(Originally introduced in version 7.1)

Support for the ext2 file system on Linux operating systems has been removed. If you still run an ext2 file system on a Linux machine that runs Splunk Enterprise, you must upgrade that filesystem on that machine to a minimum of ext3 before you upgrade Splunk Enterprise.

Data model searches now only use fields that have been defined within the data model

(Originally introduced in version 7.1)

When you upgrade to version 7.2 of Splunk Enterprise, data model searches can only use field names that have been defined within the data model. Splunk Enterprise no longer automatically extracts field names.

Additionally, if you have a data model search that references an automatically extracted field name that contains whitespace, you must work around the fact that data models do not allow field names that contain whitespace.

Scheduled views reaper might increase disk I/O and CPU usage on startup

(Originally introduced in version 7.1)

When you upgrade to version 7.2 of Splunk Enterprise, a new process that checks and removes orphaned scheduled views (saved searches or reports that generate PDFs on a schedule) runs. This happens when Splunk Enterprise starts, and might result in increased disk I/O and CPU usage on startup.

The default color scheme for choropleth maps has changed

(Originally introduced in version 7.1)

The color scheme for choropleth maps and single-value visualizations has changed in Splunk Enterprise 7.2. Existing visualizations will be retained through the upgrade, but any new visualizations that you create after an upgrade will use the new color scheme.

HTTP Event Collector now cleans up idle indexer ACK channels by default

(Originally introduced in version 7.1)

After an upgrade to version 7.2 of Splunk Enterprise, the HTTP Event Collector now cleans up any indexer ACK channels it finds that have an idle time of more than 'maxIdleTime' seconds, as defined by that setting in the inputs.conf configuration file, by default. While this results in improved HEC performance, you might experience a slight increase in network and CPU activity during the cleanup.

Modified navigation menus in default Splunk apps will be removed after upgrade

(Originally introduced in version 7.1)

After an upgrade to version 7.2 of Splunk Enterprise, any modifications that you have made to navigation menus in default Splunk apps will be removed.

As a reminder, you should not make edits to default apps or configurations, as they can be and, in nearly all cases, are removed after an upgrade. Edit local configurations rather than making modifications to Splunk default configurations and apps.

Stats percentile results might shift by a few percent

(Originally introduced in version 7.0)

Splunk software computes percentiles and median in stats and related commands (tstats, streamstats, eventstats, chart, timechart, sistats, sichart, sitimechart) using an approximation algorithm (unless you use the exactperc aggregation function). Before Splunk Enterprise 7.0, these commands used an approximation algorithm called rdigest. After you upgrade, the default digest behavior changes to tdigest, which has been shown to be more performant than rdigest in some cases, metrics data in particular.

Reports that use percentiles and medians might emit slightly different results upon an upgrade to Splunk Enterprise 7.0. The difference is usually small (less than 1%) but could be greater for highly skewed datasets. After the initial shift, stats continues using the new digest method and does not produce another shift unless you switch back to using the rdigest method.

If you want, you can revert the digest behavior globally in limits.conf. The behavior for stats, tstats, streamstats, eventstats, chart, and timechart are controlled by the setting in the stats stanza. The behavior for sistats, sichart, and sitimechart are controlled by the setting in the sistats stanza.

See limits.conf.spec in the Admin Manual.

The use of disabled lookups in searches or other lookups is no longer allowed

(Originally introduced in version 7.0)

You can no longer use a disabled lookup as part of a search or other lookup. After you upgrade, when you attempt to use a disabled lookup, you receive the error message The lookup table '<lookup name>' is disabled.

The ability to customize the number of reports retrieved might reduce browser performance

(Originally introduced in version 7.0)

You can now increase or decrease the number of reports that Splunk Web can retrieve at a time by modifying an entry in web.conf. If you increase the number of reports that can be retrieved after you upgrade, you might cause problems with browser performance due to the number of reports available.

SPL operator keywords can break saved searches

(Originally introduced in version 6.6)

As of version 6.6 of Splunk Enterprise, new SQL-style search processing language (SPL) keywords were introduced, such as IN and OR. These new keywords can potentially break existing saved searches after an upgrade if those searches contain these new keywords (for example, search country=IN or search state=OR.

Before you upgrade, review existing saved searches and add quotes around any searches that contain these new operators (for example, search country="IN" or search state="OR".) For more information on these operators, see the search command usage information in the Search Reference Manual.

A new load-balancing scheme for forwarders is available

(Originally introduced in version 6.6)

All forwarder types now have a new scheme for balancing load between receiving indexers.

In addition to balancing load by time, they can also balance load by amount of data sent. The autoLBVolume setting in outputs.conf controls this setting.

See Choose a load balancing method in Forwarding Data for additional information.

Connectivity over SSL between version 7.0 and version 5.0 and lower is disabled by default

(Originally introduced in version 6.6)

Because of changes to the security ciphers in version 7.0 of Splunk Enterprise, instances of Splunk software that run on version 5.0 or less cannot connect to instances of version 7.0 or greater by default.

When you upgrade, any instances that run version 5.0 or lower no longer communicates with the upgraded instance over SSL. For a workaround, you can edit inputs.conf and outputs.conf on the sending instances to enable ciphers that allow communication between the instances.

For more information, see the Known Issues - Upgrade Issues page in the Splunk Enterprise 6.6.0 Release Notes.

Data model acceleration sizes on disk might appear to increase

(Originally introduced in version 6.6)

If you have created and accelerated a custom data model, the size that Splunk software reports it as being on disk has increased.

When you upgrade, data model acceleration summary sizes can appear to increase by a factor of up to two to one. This apparent increase in disk usage is the result of a refactoring of how Splunk software calculates data model acceleration summary disk usage. The calculation that Splunk software performs in version 7.0 is more accurate than in previous versions.

The number of potential data model acceleration searches has increased

(Originally introduced in version 6.6)

The default number of concurrent searches that are used for data model acceleration has been increased from two to three.

If you have an environment that uses data models, that have not yet been accelerated, Splunk software might run up to three searches to accelerate the data models. This can result in increased CPU, memory, and disk usage on the search heads that are accelerating the data models and can also cause more concurrent searches overall in an environment where the search heads are not clustered.

Security changes in SSL and TLS could affect customers who use LDAP

(Originally introduced in version 6.6)

If you have configured Splunk software to use the Lightweight Directory Access Protocol (LDAP) to authenticate, after an upgrade, changes in security settings for Secure Sockets Layer (SSL) and Transport Layer Security (TLS) could prevent the software from connecting to the LDAP server.

If that occurs, you can roll back the updated settings by doing the following:

  1. Open $SPLUNK_HOME/etc/openldap/ldap.conf for editing with a text editor.
  2. Comment the lines that begin with the following:

  4. Save the ldap.conf file and close it.
  5. Restart Splunk software.

The 'autoLB' universal forwarder setting in outputs.conf is no longer configurable

(Originally introduced in version 6.6)

The autoLB setting, which controls how universal forwarders send data to indexers, and which only had a valid setting of true, has been locked to that value. Since auto-loadbalancing is the only way that forwarders can send data, there is no longer a reason to make that setting configurable. Universal forwarders will now ignore attempts to configure the setting to anything other than true.

You might notice an error about a bad configuration for autoLB during the startup check. You can safely ignore this error.

The 'compressed' settings on a forwarder and a receiving indexer no longer must match for the instances to communicate

(Originally introduced in version 6.6)

Forwarders and indexers now auto-negotiate their connections. After an upgrade, it is no longer necessary for you to confirm that the compressed setting in an outputs.conf stanza on the forwarder matches the corresponding compressed setting in a splunktcp:// stanza in inputs.conf on the receiver for the forwarder-receiver connection to work.

Indexers in a distributed Splunk environment now respect the INDEXED setting in fields.conf on search heads only

(Originally introduced in version 6.6)

To better align with documented best practice, the way that indexers handle the INDEXED setting in fields.conf has changed.

Indexers now respect the setting as it has been configured on search heads only. When you upgrade, if you have only configured this setting in fields.conf on indexers, you must configure it on the search heads if it is not there.

Use different settings for better data distribution between indexers in a load-balanced forwarder configuration

(Originally introduced in version 6.6)

If you have a setup where universal forwarders have been configured to send data to indexers in a load-balanced scheme, you should replace configurations that have forceTimeBasedAutoLB with those that use EVENT_BREAKER_ENABLE and EVENT_BREAKER instead. For more information about these new settings, see Configure load balancing for Splunk Enterprise in the Universal Forwarder Manual.

Protection for the '/server/info' REST endpoint is now on by default

(Originally introduced in version 6.6)

In version 6.5 of Splunk Enterprise, a setting was introduced to require authentication to access the server/info REST endpoint.

After you upgrade, this protection is enabled by default.

Memory usage on indexers increases during indexing operations

(Originally introduced in version 6.5)

When you upgrade to version 7.0 of Splunk Enterprise, the amount of memory that indexers use during indexing operations increases. If you have configured an indexer with parallelization (multiple indexing pipelines), the usage increase can be significant.

Indexers that have been configured with a single indexing pipeline, which is the default for a Splunk Enterprise installation, see memory usage increases of up to 10%. Indexers that have two pipeline sets see increases of up to 15%. Indexers that have been configured with four indexing pipelines see increases of up to 25%.

Confirm that your indexers meet or exceed the minimum hardware specifications that the Capacity Planning Manual details before you perform an upgrade. See Reference hardware for memory details for each host.

The free version of Splunk now includes App Key Value Store

(Originally introduced in version 6.5)

When you upgrade to version 7.0 of Splunk Enterprise, the free version of Splunk Enterprise gets access to the App Key Value Store feature.

This change results in processes running on your host that support App Key Value Store. These processes might result in extra memory or disk space usage.

The instrumentation feature adds an internal index and can increase disk space usage

(Originally introduced in version 6.5)

The instrumentation feature of Splunk Enterprise, which lets you share Splunk Enterprise performance statistics with Splunk after you opt in, includes a new internal index which can cause disk space usage to rise on hosts that you upgrade. You can opt out of sharing performance data by following the instructions at Share data in Splunk Enterprise in the Admin Manual.

Certain JSChart limits have been increased which might reduce performance in older browsers

(Originally introduced in version 6.5)

The number of series, results, and data points that a JSChart chart element can display has been increased.

The number of series has doubled from 50 to 100. The number of results that can be displayed has increased from 1000 to 10,000. The number of total data points has increased from 20,000 to 50,000.

If you have not already changed the defaults for these JSChart elements, then you will see more data points on your JSChart elements after an upgrade. If you use an older browser to interact with Splunk Enterprise, you might also see slightly reduced performance.

A new capability 'deleteIndexesAllowed' has been added that inhibits index deletion

(Originally introduced in version 6.5)

A new user capability, deleteIndexesAllowed, has been added. Non-administrator user roles must hold this capability before they can delete indexes. After you upgrade, you can assign this capability to any non-administrator user roles so that they can delete indexes.

User roles must also hold the "delete_by_keyword" capability to delete indexes.

Windows-specific changes

The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cipher suites in version 7.2 are not supported on Windows Server 2008 R2

(Originally introduced in version 6.6)

The TLS and SSL cipher suites that come with version 7.2 of Splunk Enterprise do not support Windows Server 2008 R2 by default. If you upgrade, and you used SSL and TLS to handle forwarder-to-indexer communication or alert actions, those actions will not work until you make updates to both Windows and Splunk Enterprise configurations.

See About TLS encryption and cipher suites in Securing Splunk Enterprise for instructions on how to configure Windows Server 2008 R2 and Splunk Enterprise to use the new cipher suites.

The Windows Event Log monitoring input has improved performance, new settings, and changes in behavior

(Originally introduced in version 6.6)

The Windows Event Log monitoring input now has improved performance. Owing to improved efficiencies in how the input retrieves and processes events, it provides up to twice the performance as previous versions. To improve performance further, several new input settings have been added. Also, the input now respects the checkpointInterval setting in an Event Log monitoring stanza. For additional information about the changes, see Monitor Windows Event Log data in Getting Data In.

Before you upgrade:

  • Review your Event Log monitoring input stanzas and confirm that the checkpointInterval setting is not set to something very large. Large settings might result in a large number of duplicate events after Splunk Enterprise restarts from a crash. If you have not already set checkpointInterval then you do not need to set it now.
  • Confirm that the machines that retrieve Windows Event Log data meet or exceed the minimum requirements as described in System Requirements for user of Splunk Enterprise on-premises. In particular, if the timely arrival of Event Log events is critical for your organization, any machines that use the input must conform with those requirements.

The Windows universal forwarder installation package no longer includes the Splunk Add-on for Windows

(Originally introduced in version 6.5)

The installation package for the universal forwarder no longer includes the Splunk Add-on for Windows. If you need the add-on, you must download and install it separately.

The installer does not delete existing installations of the add-on.

Support for Internet Explorer versions 9 and 10 has been removed

(Originally introduced in version 6.5)

Microsoft has announced that support for all versions of Internet Explorer below version 11 has ended as of January 12, 2016. Owing to that announcement, Splunk has ended support for Splunk Web for these same versions. This might result in a suboptimal browsing experience in lower versions of Internet Explorer.

When you upgrade, also upgrade the version of Internet Explorer that you use to 11 or higher. An alternative is to use another browser that Splunk supports.

Learn about known upgrade issues

To learn about any additional upgrade issues for Splunk Enterprise, see the Known Issues - Upgrade Issues page in the Release Notes.

Last modified on 28 November, 2019
How to upgrade Splunk Enterprise
How to upgrade a distributed Splunk Enterprise environment

This documentation applies to the following versions of Splunk® Enterprise: 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters