Deployment Architecture

POLL: How often do you update your Splunk Enterprise software in production?

Path Finder

We are having an internal debate concerning the frequency with which we should update our Splunk Enterprise software in our prod environment. I'm of a mind to do it roughly quarterly, which corresponds to Splunk's normal release cadence. Our admins prefer once per year. We're currently on 6.4.1.

I'm especially interested in what other large shops - with clustered indexers and search heads - are doing. I'll "vote up" every answer!

Path Finder

If you use orchestration software (such as Ansible) it makes upgrading much less of a headache. I'll do 90 systems about 2-3 times per year, and it takes around 2 hours to complete, with a few hours of prep work the first time around. Subsequent upgrades don't require any prep work outside of downloading the new Splunk package, and installing it on a test server for issues. I'm also running solo, so I don't have to coordinate with any sysadmins to get it done, just the end users when I do the SHs. Getting UFs upgraded is much more of an issue, since that involves the enterprise SCCM and *nix teams to be involved, and those upgrades often drag on for months, so they get done probably less than once per year.

Path Finder

Thanks Adam

0 Karma

Super Champion

I tend to update Splunk Enterprise once in 6 months in a normal scenario. But in case of emergency patch/security vulnerability we might update faster. Also I tend to go minor version 3 or above.. eg, 6.3.4,6.4.3, 6.4.4, 6.5.3, 6.5.4 etc..
as previous versions will contain fixes which may be real issue in large clustered systems. (eg: So though we have Splunk 6.6.0 available, I will still go with Splunk 6.5.4 as it is more stable for large environments)

Splunk UF's are more painful as we need to get approval from every single team one by one. But fortunatley, Splunk UF is backward compatible to a very long time. So unless there is a vulnerability we tend NOT to upgrade. Also some clients are Windows2008 are not supported by SplunkUF6.4.x. So it is more of a question, what you are going to achieve by upgrading Splunk UF as frequently as Enterprise

SplunkTrust
SplunkTrust

Hi,

we also operate a clustered indexer and searchhead environment.
I am in the role as the splunk admin for the infrastructure as well as the application.
Our splunk environment runs on 6.4.1. And I would suggest upgrading once a year, because it means a lot of preparation and work.

Path Finder

Thanks for your input.

0 Karma

Champion

For us it when ever there is bug fix, performance improvement, or new feature. Thought we never install a new major version until a dot release.

Path Finder

I agree - wait for x.1!

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!