Splunk Enterprise Security

When upgrading Splunk Enterprise Security from 4.7.x to 5.2.2, should we plan incremental upgrades?

plimon
Explorer

Hello,

I just wanted a confirmation if the following upgrade paths are supported.

My organization plans to do the following:
1. Direct Splunk Core Enterprise upgrade from 6.5.7 to 7.1.6
2. Direct Splunk ES upgrade from 4.7.4 to 5.2.2

Should we plan incremental upgrades for ES? Example: 4.7.4 -> 5.0 -> 5.1 -> 5.2

0 Karma
1 Solution

LukeMurphey
Champion

You should plan on doing the incremental upgrades of ES.

Officially, the docs say that "to upgrade from earlier versions, perform intermediary upgrades".

That said, we do try to design ES to be more forgiving than this. It may be possible that skipping incremental upgrades will work just fine. However, I would suggest going with what the docs suggest just to be safe.

View solution in original post

0 Karma

baya151
Engager

Hi plimon,

Could you share your experience while upgrading from ES 4.7.4 to 5.2.2? Did you follow the incremental approach or upgraded directly to the latest?

In the documentation that Luke shared, it actually says "Splunk Enterprise Security supports upgrading from version 4.5.x or later to 5.2.2"

jnenadal
New Member

Hi,

I stumbled upon this on accident, and I wanted to share my experience. I have not had any issues at all upgrading from 4.7.4 to 5.2.2. I have done this particular jump several times, and the only thing you have to watch (outside of the changes in the windows TA) is that the upgrade instructions are followed in their entirety. These are older Splunk machines as well, so it is usually a Splunk upgrade and then ES which updates the TA after. After the upgrade is completed, I run a searches to verify no old settings conflict with the new settings.

In summary, there are a lot of changes that happen, but the ES installer takes care of most of them. ES 5.2.2 has never failed on an install for me, and I have done this particular upgrade several times. Be sure to modify searches to reflect the new changes in the Windows TA after it is installed. Also do not skip ANY steps. I did this, and I have not failed yet.

0 Karma

LukeMurphey
Champion

You should plan on doing the incremental upgrades of ES.

Officially, the docs say that "to upgrade from earlier versions, perform intermediary upgrades".

That said, we do try to design ES to be more forgiving than this. It may be possible that skipping incremental upgrades will work just fine. However, I would suggest going with what the docs suggest just to be safe.

View solution in original post

0 Karma

plimon
Explorer

Thank you. I will plan on incrementally upgrading to be on the safe side.
I wish there was a more definitive answer.

0 Karma

lkutch_splunk
Splunk Employee
Splunk Employee

I believe it also depends on the version of Splunk Enterprise compatibility. @jmulcaster_splunk just posted a new doc to answer this similar question: https://answers.splunk.com/answers/750462/whats-the-order-of-operations-for-upgrading-splunk.html

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!