How to upgrade Splunk Enterprise
The process of upgrading a single Splunk Enterprise instance is straightforward. In many cases, you upgrade the software by installing the latest package over your existing installation. When you upgrade on Windows systems, the installer package detects the version that you have previously installed and offers to upgrade it for you.
The process of upgrading a distributed or clustered Splunk Enterprise deployment differs based on the type of deployment and whether or not the instance hosts various Splunk apps and add-ons.
If the Splunk Enterprise instance or deployment that you want to upgrade has one or more premium Splunk apps installed, such as Splunk IT Service Intelligence, Enterprise Security, or User Behavior Analytics, you need to plan your upgrade sequence and target version levels to maintain version compatibility with the premium apps. The Splunk products version compatibility matrix shows which specific versions of Splunk Enterprise are compatible and supported with premium Splunk apps.
Regardless of deployment type, you must upgrade Splunk Enterprise with an operating system account that satisfies the following requirements:
- The account has administrative privileges on the machine where you perform the upgrade
- The account can write to the instance directory and all of its subdirectories.
This topic provides specific information for upgrading to version 7.3 from a previous version. If you do not want to upgrade to version 7.3, use the Version drop-down list to choose the target version that you want.
Always use the upgrade instructions for the version to which you want to upgrade. Earlier or later versions of upgrade instructions can present information that appears to conflict with information for your target version.
Upgrade information for version 7.3
Read on to learn the information you need to upgrade your deployment of Splunk Enterprise to version 7.3, including the supported upgrade paths, information that might affect you when you upgrade, and links to information on features and release notes.
Upgrade paths to version 7.3
The following table describes the upgrade paths that are available to version 7.3 from previous versions of Splunk Enterprise.
Find the version you currently run in the first column and read across to determine the upgrade path for that version. If your version does not appear in the first column, then there is no supported upgrade path to the latest version. You must upgrade to a version that is in this list first.
|Your current version||First upgrade to||Then upgrade to||README link||Rel. Notes link|
|6.0.x||6.6.x||7.3||6.6 README||6.6 Rel. Notes|
|6.1.x||6.6.x||7.3||6.6 README||6.6 Rel. Notes|
|6.2.x||6.6.x||7.3||6.6 README||6.6 Rel. Notes|
|6.3.x||6.6.x||7.3||6.6 README||6.6 Rel. Notes|
|6.4.x||6.6.x||7.3||6.6 README||6.6 Rel. Notes|
|6.5.x||6.6.x||7.3||6.6 README||6.6 Rel. Notes|
|6.6.x||7.3||N/A||7.3 README||7.3 Rel. Notes|
|7.0.x||7.3||N/A||7.3 README||7.3 Rel. Notes|
|7.1.x||7.3||N/A||7.3 README||7.3 Rel. Notes|
|7.2.x||7.3||N/A||7.3 README||7.3 Rel. Notes|
Splunk Enterprise upgrade process
The upgrade process for Splunk Enterprise consists of three phases:
- Phase 1: Identify, back up, and verify that components work as you expect
- Phase 2: Install updated Splunk Enterprise components
- Phase 3: Confirm everything works after the upgrade
This process applies to upgrades of all Splunk Enterprise deployments. Depending on the kind of deployment you have, some steps might differ from what this page shows.
Phase 1: Identify, back up, and verify that components work as you expect
Use the following steps to prepare a Splunk Enterprise upgrade. Specific steps might differ based on the size and kind of deployment and whether or not your deployment runs a premium Splunk app.
- Identify all of the components in your development. This determines the upgrade procedures that you must follow during the upgrade phase:
- Identify all single-instance components.
- Identify all distributed components that are not in a cluster.
- Identify all clustered components.
- Back up your existing deployment, including configurations and data. For more information about backing up your Splunk Enterprise deployment, see Back up configuration information in the Admin Manual and Back up indexed data in the Managing Indexers and Clusters of Indexers manual.
- Validate your backups and confirm that they can be restored.
- Where applicable, use the Monitoring Console to take a snapshot of the health of your existing Splunk Enterprise deployment.
- If you run a clustered Splunk Enterprise environment, use the Monitoring Console to confirm that the cluster is healthy.
- If you run a Splunk Enterprise license master machine, confirm that it is healthy, that all indexers successfully connect to it, and that all license keys either are available for entry or exist on backup media.
- If you run a deployer on a search head cluster, confirm that it is healthy and can push configuration bundles to all SHC peers without problems.
- If you run a deployment server machine, confirm that it is healthy, that configurations reload successfully, an that all forwarders can connect to it.
- Review the forwarder-indexer compatibility matrix in Compatibility between forwarders and indexers in the Universal Forwarder manual to confirm that all forwarders in your deployment work with the version of indexer to which you plan to upgrade. Older versions of forwarder might not be compatible due to various security cipher changes.
- For distributed deployments of any kind, confirm that all machines in the indexing tier satisfy the following conditions:
- They have sufficient disk space available for installation of the updated software
- They run basic searches without problems
- They do not run their own saved searches
- On distributed deployments of any kind, confirm that all machines in the search tier satisfy the following conditions:
- The version of Splunk Enterprise that you want to upgrade can run your apps, add-ons, and dashboards
- You have all security keys, configurations, and credentials available for possible reentry
- Searches do not fail because of incorrect authentication credentials
Phase 2: Install updated Splunk Enterprise components
After you complete the pre-upgrade steps in Phase 1, you can begin upgrading individual Splunk Enterprise components. Depending on your deployment type, you might need to perform additional steps.
- Read About upgrading to 7.3: READ THIS FIRST completely prior to starting an upgrade.
- If you run premium Splunk apps, see the Splunk Products version compatibility matrix to determine the versions that your apps support.
- Upgrade the Splunk Enterprise components in your deployment, based on the deployment architecture you identified in Phase 1:
- For distributed environments that do not have clusters, follow the instructions in How to upgrade a distributed Splunk Enterprise environment.
- For clustered environments, see one of the following topics:
- For single instance deployments, follow the upgrade instructions for your operating system type:
- During the upgrade, depending on the component that you upgrade, you might need to perform validation steps to ensure the upgrade is successful.
- On a cluster master node, you might need to run validation searches or use operating system tools to determine cluster master health and readiness before you proceed to the next upgrade phase.
- On forwarders, you can use Monitoring Console to determine that data ingestion levels remain at pre-upgrade rates as forwarders come back online.
- On standalone indexers, you can run searches to determine that data ingestion and search participation occur normally.
- On clustered indexers, you can use Monitoring Console to determine that indexers come back online and appear as normal in the Clustering Status page.
Phase 3: Verify everything works after the upgrade
After you complete the upgrade of Splunk Enterprise components, follow these high-level steps to confirm that your upgrade was successful. As with the other phases, specific steps might differ based on the number and kind of Splunk Enterprise components that you have in your deployment.
- Confirm that your Splunk apps and add-ons work like they did before the upgrade.
- If you have a distributed deployment, use Monitoring Console to verify all Splunk Enterprise components.
- Review resource utilization for all components and compare to what you benchmarked prior to the upgrade.
- Confirm all components are available.
- If you have a distributed deployment, confirm that the license master machine works properly and all indexers connect to it, like they did before the upgrade.
- If you have a clustered deployment, confirm that the cluster master operates normally and that cluster peers are connecting properly.
- If you have a distributed deployment, confirm that the search tier operates normally and that search and indexers communicate without problems
- If you have a search head cluster, use the Monitoring Console to verify search head cluster state and individual cluster peer nodes.
- If you have an indexer cluster, confirm that all indexer cluster nodes reestablish communications with the cluster master.
Optional upgrade activities
The following section describes optional steps that you can perform after an upgrade. This includes installing the no-enforcement license on installations that run version 6.5 and higher, and restoring package manifest files after an upgrade if those files were mistakenly deleted during the upgrade.
Get and install the "no-enforcement" license
You can get a Splunk license that does not block searches after a license has been in violation.
This license is standard on all new installations of Splunk Enterprise. If you want to use this license type after an upgrade, you must get and install it on your Splunk Enterprise instance separately. Your instance must run Splunk Enterprise 6.5.0 or higher. If you have a distributed deployment, the Splunk Enterprise instance that acts as your license master must run 6.5.0 or higher. You do not need to upgrade the rest of your deployment to 6.5.0 for a no-enforcement license to work. You must have a contract in good standing with Splunk to take advantage of this license type.
For additional information about the license, see Types of Splunk software licenses in the Admin Manual.
To enable the license behavior, do the following:
- Upgrade your Splunk Enterprise environment (single instance or license master, at minimum) to 6.5.0 or higher.
- Contact your sales representative, who can confirm your details and, along with Splunk Support, issue you a no-enforcement license key.
- Apply the key to your Splunk Enterprise instance or, in the case of a distributed deployment, your license master instance.
- Restart Splunk Enterprise on the individual host or license master for the new license to take effect.
Replace lost package manifest files
Splunk Enterprise installation packages have manifest files that Splunk Enterprise needs to run. The manifest files exist in the root of the Splunk Enterprise installation and end in
-manifest. If the files are not present, then Splunk Enterprise cannot run because it cannot verify that it is a valid installation.
If you delete those files in the process of upgrading, or for any reason, you can restore them with the following procedure:
- Download an identical copy of the Splunk Enterprise installer that you downloaded previously. This copy must be the same version and architecture, since manifest files are specific to each version.
- Extract the files to a directory that is not your existing Splunk Enterprise installation.
- Copy the files from this directory to the root directory of your Splunk Enterprise installation.
- Start Splunk Enterprise and confirm that it starts normally.
Install a license
About upgrading to 7.3 READ THIS FIRST
This documentation applies to the following versions of Splunk® Enterprise: 7.3.0