Splunk Enterprise Security

When upgrading Splunk Enterprise Security from 4.7.x to 5.2.2, should we plan incremental upgrades?

plimon
Explorer

Hello,

I just wanted a confirmation if the following upgrade paths are supported.

My organization plans to do the following:
1. Direct Splunk Core Enterprise upgrade from 6.5.7 to 7.1.6
2. Direct Splunk ES upgrade from 4.7.4 to 5.2.2

Should we plan incremental upgrades for ES? Example: 4.7.4 -> 5.0 -> 5.1 -> 5.2

0 Karma
1 Solution

LukeMurphey
Champion

You should plan on doing the incremental upgrades of ES.

Officially, the docs say that "to upgrade from earlier versions, perform intermediary upgrades".

That said, we do try to design ES to be more forgiving than this. It may be possible that skipping incremental upgrades will work just fine. However, I would suggest going with what the docs suggest just to be safe.

View solution in original post

0 Karma

baya151
Explorer

Hi plimon,

Could you share your experience while upgrading from ES 4.7.4 to 5.2.2? Did you follow the incremental approach or upgraded directly to the latest?

In the documentation that Luke shared, it actually says "Splunk Enterprise Security supports upgrading from version 4.5.x or later to 5.2.2"

jnenadal
Engager

Hi,

I stumbled upon this on accident, and I wanted to share my experience. I have not had any issues at all upgrading from 4.7.4 to 5.2.2. I have done this particular jump several times, and the only thing you have to watch (outside of the changes in the windows TA) is that the upgrade instructions are followed in their entirety. These are older Splunk machines as well, so it is usually a Splunk upgrade and then ES which updates the TA after. After the upgrade is completed, I run a searches to verify no old settings conflict with the new settings.

In summary, there are a lot of changes that happen, but the ES installer takes care of most of them. ES 5.2.2 has never failed on an install for me, and I have done this particular upgrade several times. Be sure to modify searches to reflect the new changes in the Windows TA after it is installed. Also do not skip ANY steps. I did this, and I have not failed yet.

0 Karma

LukeMurphey
Champion

You should plan on doing the incremental upgrades of ES.

Officially, the docs say that "to upgrade from earlier versions, perform intermediary upgrades".

That said, we do try to design ES to be more forgiving than this. It may be possible that skipping incremental upgrades will work just fine. However, I would suggest going with what the docs suggest just to be safe.

0 Karma

plimon
Explorer

Thank you. I will plan on incrementally upgrading to be on the safe side.
I wish there was a more definitive answer.

0 Karma

lkutch_splunk
Splunk Employee
Splunk Employee

I believe it also depends on the version of Splunk Enterprise compatibility. @jmulcaster_splunk just posted a new doc to answer this similar question: https://answers.splunk.com/answers/750462/whats-the-order-of-operations-for-upgrading-splunk.html

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...