Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk ES Upgrade Compatibility

jaracan
Communicator
‎01-07-2020 11:33 PM

Just a quick question on Splunk Upgrade for ES

https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/CompatMatrix

We are currently on Splunk ES v5.0.1 and Splunk Enterprise v7.0.13.1.

Now,we wanted to version upgrade to Splunk ES v5.3.1 and Splunk Enterprise v7.2.9.1.

With this, since we need to consider compatibility, do we need to upgrade to Splunk Enterprise v7.1.x first then upgrade Splunk ES App to v5.3.1, then we will upgrade to Splunk Enterprise v7.2.9.1 after? Is that correct? Or we can directly upgrade both from Splunk Enterprise v7.0.13.1 to v7.2.9.1 and Splunk ES App v5.0.1 to v5.3.1? Let me know which approach is correct.

0 Karma
Reply

lkutch_splunk
Splunk Employee
Splunk Employee
‎01-08-2020 09:31 AM

I believe you can just upgrade directly from 7.0 to 7.2:
https://docs.splunk.com/Documentation/Splunk/7.2.9/Installation/AboutupgradingREADTHISFIRST

And then upgrade ES directly from 5.0 to 5.3:
https://docs.splunk.com/Documentation/ES/5.3.1/Install/Beforeupgrading

0 Karma
Reply

BainM
Communicator
‎01-08-2020 09:27 AM

Hi Jaracan-
We were on 6.63 in Enterprise and ES on 5.01. We upgraded our ClusterMaster first (to 7.2.x), then upgraded our SHC and at the same time upgraded ES to 5.3.1. After we confirmed 5.3.1 was happy, we upgraded our indexer cluster (to 7.2.x). Everything went fine after our Searchhead cluster calmed down. We had no issues with ES or our indexer cluster.

Hope this helps,
Mike

0 Karma
Reply

BainM
Communicator
‎01-08-2020 09:30 AM

Forgot to note: Our ES is NOT clustered and runs as an independent searchhead, querying our indexer cluster.

0 Karma
Reply

jaracan
Communicator
‎01-08-2020 09:33 AM

Hi BainM, does this means you have directly upgrade the Splunk Enterprise from 6.63 to v7.2.x starting with the Cluster Master, then upgraded the Splunk Enterprise version of the ES Search Head from 6.63 to v7.2.x and the ES App version from v5.0.1 to v5.3.1, and then after its good, you had upgraded the Splunk Enterprise version of the Peer Nodes/Clustered Indexers from 6.63 to v7.2.x. Is my understanding, correct?

0 Karma
Reply

BainM
Communicator
‎01-08-2020 09:56 AM

Correct.

We then upgraded the ES app after the main Splunk Ent. was at 7.2.x

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...