Considerations to upgrade from Enterprise 9.1.1 to...

heres1

Considerations to upgrade from Enterprise 9.1.1 to 9.4.2, while its also a deployment server.

heres1

"Thanks a lot for the detailed info — I really appreciate it! I'm fully on board and diving into it. Great to have your attention on this. By the way, the DS server is running on Linux."

livehybrid

Regarding the DS specifically, have a good read of https://docs.splunk.com/Documentation/Splunk/latest/Updating/Upgradepre-9.2deploymentservers but essentially you need to make sure that your indexers have the relevant DS indexes created as the phone-home and other deployment data is now held here:

== indexes ==
[_dsphonehome]
[_dsclient]
[_dsappevent]

and also configure the outputs.conf to ensure that the data is saved locally on the DS too (so it can display the client info!)

== outputs.conf ==
[indexAndForward]
index = true
selectiveIndexing = true

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

livehybrid

Hi @heres1

Confirmed by the docs, there is no need to upgrade to an intermediate version - you can upgrade directly from 9.1.x to 9.4.x.

There are quite a few differences between 9.1.1 and 9.4.2 so I rather than me listing them all here, I'd recommend having a read through https://docs.splunk.com/Documentation/Splunk/9.4.2/Installation/AboutupgradingREADTHISFIRST as there may be other changes/feature deprecations that you rely on.

Most notably is probably KVStore upgrades, SSL changes but there are also some big Deployment Server changes, therefore its also worth reading https://docs.splunk.com/Documentation/Splunk/latest/Updating/Upgradepre-9.2deploymentservers which details some of the changes and possible configuration changes you may have to make around your log forwarding on your DS in order to retain the visibility of the Forwarder Managment / Agent Manager section.

Are you running Linux or Windows? Im not sure of specific changes for either but happy to review this.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

heres1

Thanks for your previous guidance.

I've retried the process and made a full backup of both /opt/splunk/etc and /opt/splunk/var just in case. I then proceeded with a clean reinstallation of Splunk Enterprise version 9.4.3.

Everything seems to be working fine except for the KV Store, which is failing to start.

Upon investigation, I found that the version used previously (4.0.x) is no longer compatible with Splunk 9.4.3, which likely makes my backup of the KV Store unusable under the new version.

Additionally, even after the KV Store upgrade attempt, my Universal Forwarders still do not appear in the Forwarder Management view, even though they are actively sending data and I can see established TCP connections on port 9997.

Considerations to upgrade from Enterprise 9.1.1 to 9.4.2

upgrade

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Are you a member of the Splunk Community?

Considerations to upgrade from Enterprise 9.1.1 to 9.4.2

upgrade

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!