Are there detailed instructions for how to upgrade Splunk from 4.3 to 6.0 on CentOS 6.5?

Path Finder

I'm trying to upgrade a single splunk instance from 4.3 to 6.0. I've read the docs and it says I have to do this before upgrading to the latest version. We have a number of forwarders reporting to this instance.

I've been looking through

I've read the "read this first" about whether the apps will work and have documented which I need to be concerned about.

But I can't find anywhere that actually tells me how to do it. I've found detailed instructions how to do the forwarders and the order that things need to done but I can't find any detailed instructions of how to upgrade the splunk server itself.

There's just a vague reference saying "In many cases, you upgrade Splunk by installing the latest package over your existing installation".

Is there anything that give more detailed instructions and what I have to look out for during the upgrade? Our system is running Centos 6.5


Labels (1)
Tags (4)
0 Karma


Yank is correct. Backup $SPLUNK_HOME/etc before everything, but also make sure all changes you've made are actually in the $app/local folder or it will get overwritten with the new configs.

After that, start upgrading your apps. This is the slightly more painful part as you may need to modify searches for updated sourcetypes.

I just pulled the trigger with my upgrade from 4.3 -> 6.1.1 about 4 weeks ago, and had only a few hiccups, but having that backup helpped.. even just just creating a VM, install 4.3 on it, extract your backup on it, is great for a visual of what you had before your upgrade, and modify as needed.

0 Karma

Path Finder

Thanks. I'll be practicing on a VM copy before doing the real server so my backup will effectively be the live server. When I do it for real I'll run a snapshot before as a safety net

0 Karma

Splunk Employee
Splunk Employee

You can upgrade the standalone indexer first, and the forwarders later. (old forwarders are still compatible with new indexers).

But I can't find anywhere that actually tells me how to do it, Our system is running Centos 6.5

It depends what was your initial install method.
- always backup your $SPLUNK_HOME/etc/ just in case
- the easiest it the tar.gz installer, you stop splunk, untar over the /opt/splunk folder, make sure to have the correct user permissions, then restart splunk
- if you used the .rpm package, you have to upgrade using the rpm procedure (and if you used a non conventional install folder, do not forget to specify it in the rpm the prefix parameters)

and the same methods for the first install (more detailed)

Path Finder

That looks like what I need. I'll have to re-read the hot, warm, cold database stuff again but I've got somewhere to go now.

I'll be using yum to upgrade but if there are problems with that I'll use rpm -u as the initial install was via a .rpm file.


0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...