Splunk Enterprise Security

When upgrading Splunk Enterprise Security from 4.7.x to 5.2.2, should we plan incremental upgrades?

plimon
Explorer

Hello,

I just wanted a confirmation if the following upgrade paths are supported.

My organization plans to do the following:
1. Direct Splunk Core Enterprise upgrade from 6.5.7 to 7.1.6
2. Direct Splunk ES upgrade from 4.7.4 to 5.2.2

Should we plan incremental upgrades for ES? Example: 4.7.4 -> 5.0 -> 5.1 -> 5.2

0 Karma
1 Solution

LukeMurphey
Champion

You should plan on doing the incremental upgrades of ES.

Officially, the docs say that "to upgrade from earlier versions, perform intermediary upgrades".

That said, we do try to design ES to be more forgiving than this. It may be possible that skipping incremental upgrades will work just fine. However, I would suggest going with what the docs suggest just to be safe.

View solution in original post

0 Karma

baya151
Explorer

Hi plimon,

Could you share your experience while upgrading from ES 4.7.4 to 5.2.2? Did you follow the incremental approach or upgraded directly to the latest?

In the documentation that Luke shared, it actually says "Splunk Enterprise Security supports upgrading from version 4.5.x or later to 5.2.2"

jnenadal
Engager

Hi,

I stumbled upon this on accident, and I wanted to share my experience. I have not had any issues at all upgrading from 4.7.4 to 5.2.2. I have done this particular jump several times, and the only thing you have to watch (outside of the changes in the windows TA) is that the upgrade instructions are followed in their entirety. These are older Splunk machines as well, so it is usually a Splunk upgrade and then ES which updates the TA after. After the upgrade is completed, I run a searches to verify no old settings conflict with the new settings.

In summary, there are a lot of changes that happen, but the ES installer takes care of most of them. ES 5.2.2 has never failed on an install for me, and I have done this particular upgrade several times. Be sure to modify searches to reflect the new changes in the Windows TA after it is installed. Also do not skip ANY steps. I did this, and I have not failed yet.

0 Karma

LukeMurphey
Champion

You should plan on doing the incremental upgrades of ES.

Officially, the docs say that "to upgrade from earlier versions, perform intermediary upgrades".

That said, we do try to design ES to be more forgiving than this. It may be possible that skipping incremental upgrades will work just fine. However, I would suggest going with what the docs suggest just to be safe.

0 Karma

plimon
Explorer

Thank you. I will plan on incrementally upgrading to be on the safe side.
I wish there was a more definitive answer.

0 Karma

lkutch_splunk
Splunk Employee
Splunk Employee

I believe it also depends on the version of Splunk Enterprise compatibility. @jmulcaster_splunk just posted a new doc to answer this similar question: https://answers.splunk.com/answers/750462/whats-the-order-of-operations-for-upgrading-splunk.html

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...