Splunk Enterprise Security

Upgrade 5.2.2 to 5.3 - is the documentation wrong or is it me ?

Path Finder

Hello,

I'm using Splunk 7.2.6 and ES 5.2.2 (on a SHC) and I want to upgrade ES to 5.3 on this SHC environment.

According to the install documentation, I did the following :
- install ES 5.2.2 on Master Deployment server (ES was never installed before on the deployer, only on SHC members)
- restart, blabla, then "splunk apply shcluster-bundle"

As long as I already had ES 5.2.2 on SHC members, nothing was changed.

According to the UPGRADE documentation now, I did the following :
- install ES 5.3 on Deployer (via the GUI, as explained)
- restart blabla, splunk apply shcluster-bundle.

And 5.3 was NOT deployed on my SHC members, just as I expected.
In fact, as far as I understand Splunk deployment, installing something on the deployer via GUI will install the app (here ES) in etc/apps.
For any app to be deployed by deployer, it has to be present in etc/shcluster/apps.

So here is my point : how is it possible for ES to be deployed anywhere if it's only installed in etc/apps ?
Did I miss anything, or is it something missing in the documentation ?

Link to th docs :
Install : https://docs.splunk.com/Documentation/ES/5.3.0/Install/InstallEnterpriseSecuritySHC
Upgrade :
https://docs.splunk.com/Documentation/ES/5.3.0/Install/UpgradeEnterpriseSecuritySHC

Thanks for the help.
Regards.

0 Karma

Path Finder

Hi gjanders,

Thanks for your answer. Finally I was not the only one having an issue with this.

Unfortunately, I already have the correct stanza in my local server.conf file, configured with the name of my SH Cluster (shcluster_label parameter).

I will continue to investigate....
Kind regards.

0 Karma

SplunkTrust
SplunkTrust

If you have the pass4SymmKey in the shclustering stanza of the system/local/server.conf then I'm unsure.

I have a case open even though my issue is resolved as such...hopefully the installer gets improved in the next version

0 Karma

SplunkTrust
SplunkTrust

What I found in my environment is the critical wording difference between:
"Configuring Splunk Enterprise Security on a Search Head Cluster Deployer" on the configuration page (if it works) and "Single search head deployment" if it does not work.

In my environment the solution was to add the [shclustering] stanza with the relevant config into:
$SPLUNK_HOME/etc/system/local/server.conf

Then the configuration page worked as expected, in my case it was in an app in $SPLUNKHOME/etc/apps/... so I copied and pasted the stanza from that app's server.conf into $SPLUNKHOME/etc/system/local/server.conf, restarted Splunk and suddenly the configuration page worked (note I may have re-uploaded the ES 5.3.0 app via the GUI as well)

Perhaps try that on your deployer? I'm going to log a case on this to ensure it gets fixed...

0 Karma

Path Finder

Hi lkutch for your answer.
This server is historically a deployment server, since several years. We upgraded from different versions of ES through time.

On the shcluster directory, there is previously upgraded ES version (5.2.2).

So the problem still resides unsolved : when I try to upgrade 5.3 on this cluster master/deployer§deployment server, it does not "dynamically detect" my deployer function, i.e. I've got the following message during the "Post Install configuration" :

Configuring Splunk Enterprise Security on a Single Search Head Deployment
Splunk Enterprise Security is being configured on a single search head deployment. Technology add-ons can be installed and configured as a part of the post-install configuration.

And even after validating the following steps, there is still nothing in the etc/shcluster directory related to SplunkEnterpriseSecuritySuite ES directory.

I think the detection process is blocked by something but I don't know what...
I've got another brand new platfom, on which installing 7.2.6 and ES 5.3 directly was butter smooth, it detected that the server was a deployer, and all was correctly deployed on SHC.

Regards.

0 Karma

Splunk Employee
Splunk Employee

The installer should be able to "dynamically detect if you're upgrading in a single search head environment or search head cluster environment." Has your deployer always been a deployer? If so, it "should" install in the right place & then merge the $SPLUNKHOME/shcluster/apps/appname/default and $SPLUNKHOME/shcluster/apps/appname/local folders of the deployer to overwrite the $SPLUNK_HOME/etc/apps/appname/default folder of each SHC member.