Before you upgrade Splunk Light
Read this topic before you upgrade to learn important information and tips about the Splunk Light upgrade process.
Review Release Notes and Known Issues
For the version of Splunk Light you are upgrading to, review the associated release notes and known issues.
Back up your existing deployment
Always back up your existing Splunk Light deployment before you perform any upgrade or migration.
You can manage upgrade risk by using technology that lets you restore your Splunk Light installation and data to a state prior to the upgrade, whether that is external backups, disk or file system snapshots, or other means. When backing up your Splunk Light data, consider the $SPLUNK_HOME directory and any indexes outside of it.
For more information about backing up your Splunk Light deployment, see the Back up configuration information in the Splunk Enterprise Admin Manual and Back up indexed data in the Splunk Enterprise Managing Indexers and Clusters Manual.
Upgrade universal forwarders
Upgrading universal forwarders is a different process than upgrading Splunk Light. Before upgrading your universal forwarders, see the appropriate upgrade topic for your operating system:
To learn about interoperability and compatibility between indexers and forwarders, see Indexer and universal forwarder compatibility in the Splunk Enterprise Forwarding Data Manual.
Important upgrade information and changes
Here are some things that you should be aware of when installing the new version:
Stats percentile results might shift by a few percent
When calculating percentiles (and quantities based on percentiles, like median), the
sistats commands do not directly calculate, they approximate. Before Splunk Enterprise 7.0, these commands used rdigest by default. After you upgrade, the default digest behavior of all three commands changes to tdigest. Our testing has shown tdigest to be more performant than rdigest, especially for the new
Long-running dashboards that use percentiles (and medians) might display slightly different results upon an upgrade to Splunk Enterprise 7.0. The difference can be up to 5% of the calculated value, depending on your data set. Data sets with many duplicated values experience the largest shift. After the initial shift,
stats continues using the new digest method and does not produce another shift unless you switch back to using the rdigest method.
If you prefer to use rdigest, you can revert the digest behavior globally in the
sistats stanza in
limits.conf. This also controls the behavior for
See limits.conf.spec for a description of rdigest and tdigest.
The use of disabled lookups in searches or other lookups is no longer allowed
You can no longer use a disabled lookup as part of a search or other lookup. After you upgrade, when you attempt to use a disabled lookup, you will receive the error message
The lookup table '<lookup name>' is disabled.
The instrumentation feature adds a new internal index and can increase disk space usage
The instrumentation feature of Splunk Light, which lets you share Splunk Light performance statistics with Splunk after you opt in, includes a new internal index which can cause disk space usage to rise on hosts that you upgrade. You can opt out of sharing performance data by following the instructions at Share data in Splunk Light.
For Linux, confirm that the introspection directory has the correct permissions
If you run Splunk Light on Linux as a non-root user, and use an RPM to upgrade, the RPM writes the
$SPLUNK_HOME/var/log/introspection directory as root. This can cause errors when you attempt to start the instance later. To prevent this,
$SPLUNK_HOME/var/log/introspection directory to the user that Splunk Light runs as after upgrading and before restarting Splunk Light or Splunk Enterprise.
For Linux, Splunk Light support for running multiple searches on a single process could increase memory usage
As of version 6.5, Splunk Light can launch multiple searches on a single process on *nix hosts.
When you upgrade, you should see improved search performance, but you might also see increased memory usage.
This change is not applicable on Windows instances of Splunk Light.
Splunk Light now identifies search commands that could negatively impact performance
In an effort to improve security and performance, some Search Processing Language (SPL) commands have been tagged with a variable that prompts Splunk Enterprise to warn you about performance impact when you use them in a search query. After an upgrade, you might see a warning message that a search that you run has commands that might have risky side effects.
Support for Internet Explorer versions 9 and 10 has been removed
Microsoft has announced that support for all versions of Internet Explorer below version 11 has ended as of January 12, 2016. Owing to that announcement, Splunk has ended support for Splunk Web for these same versions. This might result in a suboptimal browsing experience in Internet
When you upgrade, you should also upgrade the version of Internet Explorer that you use to 11 or later. An alternative is to use another browser that Splunk supports.
New installation and upgrade procedures
The Windows version of Splunk Light and Splunk Enterprise has a more streamlined installation and upgrade workflow. The installer now assumes specific defaults (for new installations) and retains existing settings (for upgrades) by default. To make any changes from the default on installations, you must check the "Customize options" button. During upgrades, your only option is to accept the license agreement.
This feature was introduced in Splunk Enterprise 6.2, but we retain it here for those who upgrade to 6.5 from earlier versions.
Splunk Enterprise has been updated to allow for more control when using Windows inputs like Network Monitoring and Host Monitoring. If you use Splunk Enterprise as a user with a role that does not inherit from other roles, it is possible that the user might not be able to access certain Windows inputs.
This change was introduced in Splunk Enterprise 6.4, but we retain it here for those who upgrade to 6.5 from earlier versions.
No support for enabling Federal Information Processing Standards (FIPS) after an upgrade
There is no supported upgrade path from a Splunk Enterprise system with enabled Secure Sockets Layer (SSL) certificates to a system with FIPS enabled. If you need to enable FIPS, you must do so on a new installation.
The default behavior for translating security identifiers (SID) and globally unique identifiers (GUIDs) when monitoring Windows Event Log data has changed
etc_resolve_ad_obj attribute, which controls whether or not Splunk Enterprise attempts to resolve SIDs and GUIDs when it monitors event log channels, is now disabled by default for all channels. When you upgrade, any
inputs.conf monitor stanzas that do not explicitly define this attribute will no longer perform this translation.
This change was introduced in Splunk Enterprise 6.2, but we retain it here for those who upgrade to 6.5 from earlier versions.
About upgrading and migrating Splunk Light
Upgrade or downgrade Splunk Light
This documentation applies to the following versions of Splunk® Light: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6