Deployment Architecture

POLL: How often do you update your Splunk Enterprise software in production?

GregZillgitt
Path Finder

We are having an internal debate concerning the frequency with which we should update our Splunk Enterprise software in our prod environment. I'm of a mind to do it roughly quarterly, which corresponds to Splunk's normal release cadence. Our admins prefer once per year. We're currently on 6.4.1.

I'm especially interested in what other large shops - with clustered indexers and search heads - are doing. I'll "vote up" every answer!

adam_reber
Path Finder

If you use orchestration software (such as Ansible) it makes upgrading much less of a headache. I'll do 90 systems about 2-3 times per year, and it takes around 2 hours to complete, with a few hours of prep work the first time around. Subsequent upgrades don't require any prep work outside of downloading the new Splunk package, and installing it on a test server for issues. I'm also running solo, so I don't have to coordinate with any sysadmins to get it done, just the end users when I do the SHs. Getting UFs upgraded is much more of an issue, since that involves the enterprise SCCM and *nix teams to be involved, and those upgrades often drag on for months, so they get done probably less than once per year.

GregZillgitt
Path Finder

Thanks Adam

0 Karma

koshyk
Super Champion

I tend to update Splunk Enterprise once in 6 months in a normal scenario. But in case of emergency patch/security vulnerability we might update faster. Also I tend to go minor version 3 or above.. eg, 6.3.4,6.4.3, 6.4.4, 6.5.3, 6.5.4 etc..
as previous versions will contain fixes which may be real issue in large clustered systems. (eg: So though we have Splunk 6.6.0 available, I will still go with Splunk 6.5.4 as it is more stable for large environments)

Splunk UF's are more painful as we need to get approval from every single team one by one. But fortunatley, Splunk UF is backward compatible to a very long time. So unless there is a vulnerability we tend NOT to upgrade. Also some clients are Windows2008 are not supported by SplunkUF6.4.x. So it is more of a question, what you are going to achieve by upgrading Splunk UF as frequently as Enterprise

horsefez
Motivator

Hi,

we also operate a clustered indexer and searchhead environment.
I am in the role as the splunk admin for the infrastructure as well as the application.
Our splunk environment runs on 6.4.1. And I would suggest upgrading once a year, because it means a lot of preparation and work.

GregZillgitt
Path Finder

Thanks for your input.

0 Karma

bmacias84
Champion

For us it when ever there is bug fix, performance improvement, or new feature. Thought we never install a new major version until a dot release.

GregZillgitt
Path Finder

I agree - wait for x.1!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...