Splunk Enterprise Security

When upgrading Splunk Enterprise Security from 4.7.x to 5.2.2, should we plan incremental upgrades?

Explorer

Hello,

I just wanted a confirmation if the following upgrade paths are supported.

My organization plans to do the following:
1. Direct Splunk Core Enterprise upgrade from 6.5.7 to 7.1.6
2. Direct Splunk ES upgrade from 4.7.4 to 5.2.2

Should we plan incremental upgrades for ES? Example: 4.7.4 -> 5.0 -> 5.1 -> 5.2

0 Karma
1 Solution

Champion

You should plan on doing the incremental upgrades of ES.

Officially, the docs say that "to upgrade from earlier versions, perform intermediary upgrades".

That said, we do try to design ES to be more forgiving than this. It may be possible that skipping incremental upgrades will work just fine. However, I would suggest going with what the docs suggest just to be safe.

View solution in original post

0 Karma

Engager

Hi plimon,

Could you share your experience while upgrading from ES 4.7.4 to 5.2.2? Did you follow the incremental approach or upgraded directly to the latest?

In the documentation that Luke shared, it actually says "Splunk Enterprise Security supports upgrading from version 4.5.x or later to 5.2.2"

New Member

Hi,

I stumbled upon this on accident, and I wanted to share my experience. I have not had any issues at all upgrading from 4.7.4 to 5.2.2. I have done this particular jump several times, and the only thing you have to watch (outside of the changes in the windows TA) is that the upgrade instructions are followed in their entirety. These are older Splunk machines as well, so it is usually a Splunk upgrade and then ES which updates the TA after. After the upgrade is completed, I run a searches to verify no old settings conflict with the new settings.

In summary, there are a lot of changes that happen, but the ES installer takes care of most of them. ES 5.2.2 has never failed on an install for me, and I have done this particular upgrade several times. Be sure to modify searches to reflect the new changes in the Windows TA after it is installed. Also do not skip ANY steps. I did this, and I have not failed yet.

0 Karma

Champion

You should plan on doing the incremental upgrades of ES.

Officially, the docs say that "to upgrade from earlier versions, perform intermediary upgrades".

That said, we do try to design ES to be more forgiving than this. It may be possible that skipping incremental upgrades will work just fine. However, I would suggest going with what the docs suggest just to be safe.

View solution in original post

0 Karma

Explorer

Thank you. I will plan on incrementally upgrading to be on the safe side.
I wish there was a more definitive answer.

0 Karma

Splunk Employee
Splunk Employee

I believe it also depends on the version of Splunk Enterprise compatibility. @jmulcaster_splunk just posted a new doc to answer this similar question: https://answers.splunk.com/answers/750462/whats-the-order-of-operations-for-upgrading-splunk.html

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!