Splunk Enterprise Security

Enterprise Security: Upgrading from 4.1.x to 4.7.x version on SHC

koshyk
Super Champion

I was looking into upgrade of ES from 4.1.x version to 4.7.x version. (alongside Splunk).
I can see ES changed dramatically from 4.6.x version due to removal of correlationsearches.conf and needs migration using confcheck_es_correlationmigration.py

The documentation is very thin when it comes to SH cluster as it doesn't address how to do migration on SH members

  1. If you do upgrade on Staging Server, and copy to Deployer, how does the upgrade happen in SH members & captain. How can the migration script be run in the SH members & captain?
  2. Is it possible to completely remove Enterprise Security and install new ES rather than migrating? Any documentation to do this by saving the kvstore?
0 Karma
1 Solution

smoir_splunk
Splunk Employee
Splunk Employee

If you manage your configurations on the deployer, then the migration script will make the changes necessary when you perform the upgrade on the staging server. There isn't any documentation about how to completely uninstall Splunk Enterprise Security, that might be something you would want professional services assistance with.

View solution in original post

smoir_splunk
Splunk Employee
Splunk Employee

If you manage your configurations on the deployer, then the migration script will make the changes necessary when you perform the upgrade on the staging server. There isn't any documentation about how to completely uninstall Splunk Enterprise Security, that might be something you would want professional services assistance with.

koshyk
Super Champion

I agree the script will perform upgrade on staging server. But how about the SH members? How the upgrade will be done on the SH members and captain? Or the deployer will ensure all the ES apps and custom apps with those stanza's will be wiped out of the SH members & captain?

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

the latter happens when you deploy out the upgraded configurations -- you copy the upgrade state from the staging server to the production deployer (per the docs: http://docs.splunk.com/Documentation/ES/5.0.0/Install/Upgradetonewerversion#Upgrade_Enterprise_Secur...) and then you deploy that out.

0 Karma

koshyk
Super Champion

Thank you. So the files in the SH members will be wiped out by the contents of Deployer with the latest conf?
(will accept the answer).

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Correct! SHC is strange, so I totally understand wanting to follow up to make sure this will work the way you expect/hope. http://docs.splunk.com/Documentation/Splunk/7.1.0/DistSearch/PropagateSHCconfigurationchanges contains more details about how precisely the deployer works.

0 Karma

koshyk
Super Champion

thanks again mate. Accepted and voted up

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...