Are there detailed instructions for how to upgrade...

terryjohn · ‎06-19-2014

I'm trying to upgrade a single splunk instance from 4.3 to 6.0. I've read the docs and it says I have to do this before upgrading to the latest version. We have a number of forwarders reporting to this instance.

I've been looking through http://docs.splunk.com/Documentation/Splunk/6.0/Installation/HowtoupgradeSplunk#Upgrade_from_4.3

I've read the "read this first" about whether the apps will work and have documented which I need to be concerned about.

But I can't find anywhere that actually tells me how to do it. I've found detailed instructions how to do the forwarders and the order that things need to done but I can't find any detailed instructions of how to upgrade the splunk server itself.

There's just a vague reference saying "In many cases, you upgrade Splunk by installing the latest package over your existing installation".

Is there anything that give more detailed instructions and what I have to look out for during the upgrade? Our system is running Centos 6.5

Thanks

emalenfant · ‎06-19-2014

Yank is correct. Backup $SPLUNK_HOME/etc before everything, but also make sure all changes you've made are actually in the $app/local folder or it will get overwritten with the new configs.

After that, start upgrading your apps. This is the slightly more painful part as you may need to modify searches for updated sourcetypes.

I just pulled the trigger with my upgrade from 4.3 -> 6.1.1 about 4 weeks ago, and had only a few hiccups, but having that backup helpped.. even just just creating a VM, install 4.3 on it, extract your backup on it, is great for a visual of what you had before your upgrade, and modify as needed.

terryjohn · ‎06-19-2014

Thanks. I'll be practicing on a VM copy before doing the real server so my backup will effectively be the live server. When I do it for real I'll run a snapshot before as a safety net

yannK · ‎06-19-2014

You can upgrade the standalone indexer first, and the forwarders later. (old forwarders are still compatible with new indexers).

But I can't find anywhere that actually tells me how to do it, Our system is running Centos 6.5

It depends what was your initial install method.
- always backup your $SPLUNK_HOME/etc/ just in case
- the easiest it the tar.gz installer, you stop splunk, untar over the /opt/splunk folder, make sure to have the correct user permissions, then restart splunk
- if you used the .rpm package, you have to upgrade using the rpm procedure (and if you used a non conventional install folder, do not forget to specify it in the rpm the prefix parameters)

see http://docs.splunk.com/Documentation/Splunk/6.1.1/Installation/Upgradeto6.1onUNIX
and the same methods for the first install (more detailed)
http://docs.splunk.com/Documentation/Splunk/6.1.1/Installation/InstallonLinux

terryjohn · ‎06-19-2014

That looks like what I need. I'll have to re-read the hot, warm, cold database stuff again but I've got somewhere to go now.

I'll be using yum to upgrade but if there are problems with that I'll use rpm -u as the initial install was via a .rpm file.

Thanks

Are there detailed instructions for how to upgrade Splunk from 4.3 to 6.0 on CentOS 6.5?

upgrade

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases