Installation

Splunk Enterprise Upgrade 7.x to 8.x

pankajupadhyay
Path Finder

Hi,

We have 2 HF and 2 Indexer in our environment which are standalone instance and running on 7.x version.

I wanna go for up gradation from 7.x to 8.x but in document of Splunk they have mentioned python 3.7 and all.

 

Can someone please help me with Upgradation procedure and pre-requisiste ?

 

Do i need to install on Python 3.7 on Linux Platform ?

 

 

Labels (4)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @pankajupadhyay,

data hasn't any problem on update, so it's sufficient the normal backup policy you have.

It's a best practice to perform a backup (e.g. using tar) of the splunk folder, so you can immediately restore your instace if there are problems.

The most important steps are:

Ciao.

Giuseppe

View solution in original post

vikramyadav
Contributor

1. Test your apps and make sure they are compatible with 8.0 (you need to go to Splunk base and check if they are compatible)
2. Upgrade Deployment Server if you have(disable it first, then upgrade, do not restart it yet)
3. Upgrade Search Heads
4. Upgrade Indexers (once completed you can now restart your deployment server)
5. Upgrade Forwarders

While upgrading the indexer cluster follows steps mentioned in:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/Upgradeacluster

While upgrading the search cluster follows steps mentioned in:
https://docs.splunk.com/Documentation/Splunk/8.0.1/DistSearch/UpgradeaSHC

--------------------------------------------------------

If this helps your like will be appreciated 😀

 

pankajupadhyay
Path Finder

@vikramyadav @isoutamo @gcusello 

Hi I have tried to upgrade my test which i have created just to test.

Step 1: Upgraded the app which support 8.0

Step 2: Configuration backup Indexer and Heavy Forwarder /etc/system/local/ and /etc/apps/

Step 3. In our environment HF and Indexer are standalone environment. 

I upgraded the Indexer and When i have checked the data was not present which i have ingested on Indexer.

hot bucket rolled to warm bucket

What did i miss ?/

If i will perform same step in production then it would be an issue as i will lose all the data which exists on Indexer.

 

Please help me in that.

 

Note: Our Indexer are not in cluster. It is a standalone system.

 

 

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Usually you should backup the whole etc directory.

If/when you have followed @gcusello ‘s pointed instructions there shouldn’t be any issues. Can you give the journal what you have done and where, so we could try to help you?

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Unfortunately I have found that all those apps which have said to be a compatible for 8 haven’t that. So you must down load https://splunkbase.splunk.com/app/4698/ and check those (especially python parts) by yourself and fix what is needed before update.
r. Ismo
0 Karma

pankajupadhyay
Path Finder

@gcusello  Thanks for the brief information.

On indexer, We have different bucket then how to actually take backup ??

System backup : Can we initiate the automatic backup or schedule backup ?

What are the precaution steps for hot bucket?

In short, What kind of backup i have to take before proceeding for upgradation ?

Thanks in advance.

isoutamo
SplunkTrust
SplunkTrust
Hi
you should remember that you cannot backup hot buckets!

Probably easiest way (if possible) is shutdown splunk and then take volume/filesystem level backup, if/when you want to backup you data also. If it enough to backup only configurations then @gcusello's tar is the easiest way.
r. Ismo

gcusello
SplunkTrust
SplunkTrust

Hi @pankajupadhyay,

data hasn't any problem on update, so it's sufficient the normal backup policy you have.

It's a best practice to perform a backup (e.g. using tar) of the splunk folder, so you can immediately restore your instace if there are problems.

The most important steps are:

Ciao.

Giuseppe

jotne
Builder

Unsupported does not mean that it does not work.

We have one UF 6.1.4 that sends logs to 8.1.2 Server without any problem. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @pankajupadhyay,

here you can find all the informations about upgrade to Splunk 8.x:

https://docs.splunk.com/Documentation/Splunk/8.0.5/Installation/AboutupgradingREADTHISFIRST

Anyway, in few words:

Ciao.

Giuseppe

pankajupadhyay
Path Finder

@gcusello 

I have upgraded the Splunk instance and thank you for your input.

Can you please help me with one more thing ?

Even i have uploaded the latest Splunk add-on or App for Splunk Enterprise 8.1 even though it was showing me python3 warning in Splunk readliness app ?

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @pankajupadhyay,

Good for you,

about your question, did you forced Python3?

if not follow the steps at https://docs.splunk.com/Documentation/Splunk/8.1.2/Installation/Python3LowEffort ?

in few words in  $SPLUNK_HOME/etc/system/local/server.conf set python.version=python3.

Ciao.

Giuseppe

0 Karma

pankajupadhyay
Path Finder

@gcusello  @isoutamo @vikramyadav 

I am about to upgrade the production Splunk servers.

Step 1: Checked the Splunk add-on and App compatabilitty and download the latest one from Splunk base.

Step 2: Configuration backup and file level system backup of Index data.

Step 3: Download the latest Splunk Enterprise 8.0

Step 4: Stop the services of Indexer first and install the latest package and restart the services.

Step 5: Will upgrade the app and add-on 

Step 6: verify eveything is working fine or not .

Step 7: Same procedure for HF then

 

Correct me if am missing out anything here?

 

 

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
That seems to be ok. Here is the official order to upgrade in distributed environment.

https://community.splunk.com/t5/Installation/What-s-the-order-of-operations-for-upgrading-Splunk-Ent...

On step 1 there may be situation that you must update those apps by yourself even those were said to compatible for 8 (at least I have updated couple of them).

r. Ismo
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @pankajupadhyay,

yes it's correct.

Remember to force the use of Python3: https://docs.splunk.com/Documentation/Splunk/8.0.5/Python3Migration/ChangesEnterprise#:~:text=versio... after the installation of Splunk 8.x.

Ciao.

Giuseppe

0 Karma

pankajupadhyay
Path Finder

@gcusello @isoutamo @vikramyadav 

After upgradation on Indexer.

Do we have the possitbilities that we can loose the warm bucket as i will roll back hot to warm bucket by using command.

hot,warm,cold bucket are in default location

Frozen is on NFS.

OR do i need to restore the default db for hot,warm,cold bucket ?

 

Regards

Pankaj

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @pankajupadhyay,

no, you don't need any intervene on buckets.

Ciao.

Giuseppe

0 Karma

pankajupadhyay
Path Finder

@gcusello  Thank you so much information.

I will go through with the information.  

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @pankajupadhyay,

Tell me if you'll need more help.

When you'll finish, please, accept the answer for the otehr people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...