Hello,
I just wanted a confirmation if the following upgrade paths are supported.
My organization plans to do the following:
1. Direct Splunk Core Enterprise upgrade from 6.5.7 to 7.1.6
2. Direct Splunk ES upgrade from 4.7.4 to 5.2.2
Should we plan incremental upgrades for ES? Example: 4.7.4 -> 5.0 -> 5.1 -> 5.2
You should plan on doing the incremental upgrades of ES.
Officially, the docs say that "to upgrade from earlier versions, perform intermediary upgrades".
That said, we do try to design ES to be more forgiving than this. It may be possible that skipping incremental upgrades will work just fine. However, I would suggest going with what the docs suggest just to be safe.
Hi plimon,
Could you share your experience while upgrading from ES 4.7.4 to 5.2.2? Did you follow the incremental approach or upgraded directly to the latest?
In the documentation that Luke shared, it actually says "Splunk Enterprise Security supports upgrading from version 4.5.x or later to 5.2.2"
Hi,
I stumbled upon this on accident, and I wanted to share my experience. I have not had any issues at all upgrading from 4.7.4 to 5.2.2. I have done this particular jump several times, and the only thing you have to watch (outside of the changes in the windows TA) is that the upgrade instructions are followed in their entirety. These are older Splunk machines as well, so it is usually a Splunk upgrade and then ES which updates the TA after. After the upgrade is completed, I run a searches to verify no old settings conflict with the new settings.
In summary, there are a lot of changes that happen, but the ES installer takes care of most of them. ES 5.2.2 has never failed on an install for me, and I have done this particular upgrade several times. Be sure to modify searches to reflect the new changes in the Windows TA after it is installed. Also do not skip ANY steps. I did this, and I have not failed yet.
You should plan on doing the incremental upgrades of ES.
Officially, the docs say that "to upgrade from earlier versions, perform intermediary upgrades".
That said, we do try to design ES to be more forgiving than this. It may be possible that skipping incremental upgrades will work just fine. However, I would suggest going with what the docs suggest just to be safe.
Thank you. I will plan on incrementally upgrading to be on the safe side.
I wish there was a more definitive answer.
I believe it also depends on the version of Splunk Enterprise compatibility. @jmulcaster_splunk just posted a new doc to answer this similar question: https://answers.splunk.com/answers/750462/whats-the-order-of-operations-for-upgrading-splunk.html