Splunk® Light (Legacy)

Installation Manual

Acrobat logo Download manual as PDF

On October 22, 2021, Splunk Light will reach its end of life. After this date, Splunk will no longer maintain or develop this product.
Acrobat logo Download topic as PDF

Before you upgrade Splunk Light

Read this topic before you upgrade to learn important information and tips about the Splunk Light upgrade process.

Review Release Notes and Known Issues

For the version of Splunk Light you are upgrading to, review the associated release notes and known issues.

Back up your existing deployment

Always back up your existing Splunk Light deployment before you perform any upgrade or migration.

You can manage upgrade risk by using technology that lets you restore your Splunk Light installation and data to a state prior to the upgrade, whether that is external backups, disk or file system snapshots, or other means. When backing up your Splunk Light data, consider the $SPLUNK_HOME directory and any indexes outside of it.

For more information about backing up your Splunk Light deployment, see the Back up configuration information in the Splunk Enterprise Admin Manual and Back up indexed data in the Splunk Enterprise Managing Indexers and Clusters Manual.

Upgrade universal forwarders

Upgrading universal forwarders is a different process than upgrading Splunk Light. Before upgrading your universal forwarders, see the appropriate upgrade topic for your operating system:

To learn about interoperability and compatibility between indexers and forwarders, see Indexer and universal forwarder compatibility in the Splunk Enterprise Forwarding Data Manual.

Important upgrade information and changes

Here are some things that you should be aware of when installing the new version:

Stats percentile results might shift by a few percent

When calculating percentiles (and quantities based on percentiles, like median), the stats, tstats, and sistats commands do not directly calculate, they approximate. Before Splunk Enterprise 7.0, these commands used rdigest by default. After you upgrade, the default digest behavior of all three commands changes to tdigest. Our testing has shown tdigest to be more performant than rdigest, especially for the new mstats command.

Long-running dashboards that use percentiles (and medians) might display slightly different results upon an upgrade to Splunk Enterprise 7.0. The difference can be up to 5% of the calculated value, depending on your data set. Data sets with many duplicated values experience the largest shift. After the initial shift, stats continues using the new digest method and does not produce another shift unless you switch back to using the rdigest method.

If you prefer to use rdigest, you can revert the digest behavior globally in the stats or sistats stanza in limits.conf. This also controls the behavior for tstats.

See limits.conf.spec for a description of rdigest and tdigest.

The use of disabled lookups in searches or other lookups is no longer allowed

You can no longer use a disabled lookup as part of a search or other lookup. After you upgrade, when you attempt to use a disabled lookup, you will receive the error message The lookup table '<lookup name>' is disabled.

The instrumentation feature adds a new internal index and can increase disk space usage

The instrumentation feature of Splunk Light, which lets you share Splunk Light performance statistics with Splunk after you opt in, includes a new internal index which can cause disk space usage to rise on hosts that you upgrade. You can opt out of sharing performance data by following the instructions at Share data in Splunk Light.

For Linux, confirm that the introspection directory has the correct permissions

If you run Splunk Light on Linux as a non-root user, and use an RPM to upgrade, the RPM writes the $SPLUNK_HOME/var/log/introspection directory as root. This can cause errors when you attempt to start the instance later. To prevent this, chown the $SPLUNK_HOME/var/log/introspection directory to the user that Splunk Light runs as after upgrading and before restarting Splunk Light or Splunk Enterprise.

For Linux, Splunk Light support for running multiple searches on a single process could increase memory usage

As of version 6.5, Splunk Light can launch multiple searches on a single process on *nix hosts.

When you upgrade, you should see improved search performance, but you might also see increased memory usage.

This change is not applicable on Windows instances of Splunk Light.

Splunk Light now identifies search commands that could negatively impact performance

In an effort to improve security and performance, some Search Processing Language (SPL) commands have been tagged with a variable that prompts Splunk Enterprise to warn you about performance impact when you use them in a search query. After an upgrade, you might see a warning message that a search that you run has commands that might have risky side effects.

Support for Internet Explorer versions 9 and 10 has been removed

Microsoft has announced that support for all versions of Internet Explorer below version 11 has ended as of January 12, 2016. Owing to that announcement, Splunk has ended support for Splunk Web for these same versions. This might result in a suboptimal browsing experience in Internet

When you upgrade, you should also upgrade the version of Internet Explorer that you use to 11 or later. An alternative is to use another browser that Splunk supports.

New installation and upgrade procedures

The Windows version of Splunk Light and Splunk Enterprise has a more streamlined installation and upgrade workflow. The installer now assumes specific defaults (for new installations) and retains existing settings (for upgrades) by default. To make any changes from the default on installations, you must check the "Customize options" button. During upgrades, your only option is to accept the license agreement.

This feature was introduced in Splunk Enterprise 6.2, but we retain it here for those who upgrade to 6.5 from earlier versions.

Changes have been made to support more granular authorization for Windows inputs

Splunk Enterprise has been updated to allow for more control when using Windows inputs like Network Monitoring and Host Monitoring. If you use Splunk Enterprise as a user with a role that does not inherit from other roles, it is possible that the user might not be able to access certain Windows inputs.

This change was introduced in Splunk Enterprise 6.4, but we retain it here for those who upgrade to 6.5 from earlier versions.

No support for enabling Federal Information Processing Standards (FIPS) after an upgrade

There is no supported upgrade path from a Splunk Enterprise system with enabled Secure Sockets Layer (SSL) certificates to a system with FIPS enabled. If you need to enable FIPS, you must do so on a new installation.

The default behavior for translating security identifiers (SID) and globally unique identifiers (GUIDs) when monitoring Windows Event Log data has changed

The etc_resolve_ad_obj attribute, which controls whether or not Splunk Enterprise attempts to resolve SIDs and GUIDs when it monitors event log channels, is now disabled by default for all channels. When you upgrade, any inputs.conf monitor stanzas that do not explicitly define this attribute will no longer perform this translation.

This change was introduced in Splunk Enterprise 6.2, but we retain it here for those who upgrade to 6.5 from earlier versions.

Last modified on 22 June, 2018
About upgrading and migrating Splunk Light
Upgrade or downgrade Splunk Light

This documentation applies to the following versions of Splunk® Light (Legacy): 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters