All Apps and Add-ons

Best practice for Splunk Upgrade 6.x to 7.x when add-ons haven't yet been certified?

Engager

Whats the generally given best practice for bumping up to the next major version of Splunk Enterprise when not all of the apps/add-ons have been certified yet ? In my instance, the 3 "Add-Ons" not validated for 7.x being Okta, Juniper and Infoblox (all of which are "Splunk Built/Supported").

0 Karma
1 Solution

Splunk Employee
Splunk Employee

This is not a best practice per ce, more a list of backward-compatibility risk assessment considerations:

  • does the add-on have any custom modular inputs? (check the bin folder in the app directory)
  • does the add-on have custom UI?

If the answer is "yes" the risk of installing on newer Splunk is higher and more rigorous testing is warranted. Many addons, however, such as Juniper have only Splunk configurations (.conf files) and these features stay quite stable as we move from version to version of Splunk enterprise. **This may change in the future.

If above is too generic, it's always a good practice to install the add-on on a staging environment before attempting a production upgrade and many add-ons should just work.

As for the specific add-ons in this question:
- Juniper is very close to a certified release
- Infoblox is on the list of items to be worked on in the next 2 months
- Recommended and supported solution for OKTA ingestion is now developed by OKTA and available here: https://splunkbase.splunk.com/app/3682/

View solution in original post

Splunk Employee
Splunk Employee

This is not a best practice per ce, more a list of backward-compatibility risk assessment considerations:

  • does the add-on have any custom modular inputs? (check the bin folder in the app directory)
  • does the add-on have custom UI?

If the answer is "yes" the risk of installing on newer Splunk is higher and more rigorous testing is warranted. Many addons, however, such as Juniper have only Splunk configurations (.conf files) and these features stay quite stable as we move from version to version of Splunk enterprise. **This may change in the future.

If above is too generic, it's always a good practice to install the add-on on a staging environment before attempting a production upgrade and many add-ons should just work.

As for the specific add-ons in this question:
- Juniper is very close to a certified release
- Infoblox is on the list of items to be worked on in the next 2 months
- Recommended and supported solution for OKTA ingestion is now developed by OKTA and available here: https://splunkbase.splunk.com/app/3682/

View solution in original post

New Member

Do you have any more information on the Infoblox add-on status and whether this will simply just support Splunk 7 or also new versions of Infoblox?

Latest I can see here is that the add-on supports Infoblox 6.10 but we are running 8.3 and the add-on is refusing to work currently.

0 Karma

Communicator

I do not know if there is a best practice with this. But it might depend on the size of your environment (single instance or multi instances). If you use a single instance I would choose to build the same environment on a virtual machine with some events of your original instance and check if an upgrade of the different apps would have any effect. However for bigger environments it is always recommended to have a testing environment and a productive environment. So every changes can be tested in the testing environment. Hope this helps!

Ultra Champion

I'd suggest opening a support ticket to get some tracking on the 7.x compatibility.