Splunk Enterprise Security

Enterprise Security: Upgrading from 4.1.x to 4.7.x version on SHC

koshyk
Super Champion

I was looking into upgrade of ES from 4.1.x version to 4.7.x version. (alongside Splunk).
I can see ES changed dramatically from 4.6.x version due to removal of correlationsearches.conf and needs migration using confcheck_es_correlationmigration.py

The documentation is very thin when it comes to SH cluster as it doesn't address how to do migration on SH members

  1. If you do upgrade on Staging Server, and copy to Deployer, how does the upgrade happen in SH members & captain. How can the migration script be run in the SH members & captain?
  2. Is it possible to completely remove Enterprise Security and install new ES rather than migrating? Any documentation to do this by saving the kvstore?
0 Karma
1 Solution

smoir_splunk
Splunk Employee
Splunk Employee

If you manage your configurations on the deployer, then the migration script will make the changes necessary when you perform the upgrade on the staging server. There isn't any documentation about how to completely uninstall Splunk Enterprise Security, that might be something you would want professional services assistance with.

View solution in original post

smoir_splunk
Splunk Employee
Splunk Employee

If you manage your configurations on the deployer, then the migration script will make the changes necessary when you perform the upgrade on the staging server. There isn't any documentation about how to completely uninstall Splunk Enterprise Security, that might be something you would want professional services assistance with.

koshyk
Super Champion

I agree the script will perform upgrade on staging server. But how about the SH members? How the upgrade will be done on the SH members and captain? Or the deployer will ensure all the ES apps and custom apps with those stanza's will be wiped out of the SH members & captain?

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

the latter happens when you deploy out the upgraded configurations -- you copy the upgrade state from the staging server to the production deployer (per the docs: http://docs.splunk.com/Documentation/ES/5.0.0/Install/Upgradetonewerversion#Upgrade_Enterprise_Secur...) and then you deploy that out.

0 Karma

koshyk
Super Champion

Thank you. So the files in the SH members will be wiped out by the contents of Deployer with the latest conf?
(will accept the answer).

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Correct! SHC is strange, so I totally understand wanting to follow up to make sure this will work the way you expect/hope. http://docs.splunk.com/Documentation/Splunk/7.1.0/DistSearch/PropagateSHCconfigurationchanges contains more details about how precisely the deployer works.

0 Karma

koshyk
Super Champion

thanks again mate. Accepted and voted up

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...