Splunk Enterprise

Downgrade splunk from 7.0.1 to 6.5.2

rajupats91
New Member

I have upgraded our Splunk ent version to latest 7.0.1. For some business reason, I want to downgrade again to 6.5.2.

I found a statement like "Splunk Enterprise does not provide a means of downgrading to previous versions. If you need to revert to an older Splunk release, uninstall the upgraded version and reinstall the version you want."

I will uninstall 7.0.1 and again install 6.5.2. But I have a few questions.

  1. Does this downgrade supported?
  2. Is data format of index file have changed in this version? if yes, then what could be the issue for newly added/existing data after upgrade to 7.0.1?
  3. Can I have my universal forwarder to 7.0.1 and Splunk peer/search heads to 6.5.2?
  4. Any other impact if any
Labels (2)
Tags (1)
0 Karma
1 Solution

nickhills
Ultra Champion
  1. The process of (up/down)grading, by uninstalling one version of Splunk and replacing it with another would be supported. http://docs.splunk.com/Documentation/Splunk/6.2.2/Installation/Upgradeto6.2onUNIX
  2. I don't believe (but can find no evidence) the format of the indexes has changed between 6.x and 7.x - but this is not the case between all versions.
  3. Splunk recommends that you use a UF not later than then HF/Indexers to which it is sending events. However older UFs are supported on later HF/Indexers - With that said, I have a 'right-old' mixture of version 4-7 UFs sending to my 6.5.x deployment, and there are no issues. https://docs.splunk.com/Documentation/Splunk/7.0.1/Forwarding/Compatibilitybetweenforwardersandindex...
  4. Backup, -nuff said!. Datamodels will likely have to rebuild following a change of version, but should require no action on your part.
If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

svinukon
New Member

Do we just backup etc folder or the enitre Splunk install directory?

0 Karma

nickhills
Ultra Champion
  1. The process of (up/down)grading, by uninstalling one version of Splunk and replacing it with another would be supported. http://docs.splunk.com/Documentation/Splunk/6.2.2/Installation/Upgradeto6.2onUNIX
  2. I don't believe (but can find no evidence) the format of the indexes has changed between 6.x and 7.x - but this is not the case between all versions.
  3. Splunk recommends that you use a UF not later than then HF/Indexers to which it is sending events. However older UFs are supported on later HF/Indexers - With that said, I have a 'right-old' mixture of version 4-7 UFs sending to my 6.5.x deployment, and there are no issues. https://docs.splunk.com/Documentation/Splunk/7.0.1/Forwarding/Compatibilitybetweenforwardersandindex...
  4. Backup, -nuff said!. Datamodels will likely have to rebuild following a change of version, but should require no action on your part.
If my comment helps, please give it a thumbs up!
0 Karma

mayurr98
Super Champion

Hi,

That's no big deal, and the answer is NO you won't loose your change:

1.custom config files in "local" dir (eg. system/local...)

2.App installed ans associates files

3.indexes...

But if you have modified system files whitout creating the overwritten version in local dirs, yes these changes will probably be lost.

As for an example, if you have custom limits configuration, don't modify system/defaults/limits.conf but create a new files including your setting in system/local/limits.conf

To upgrade from previous release when you installed through the tarball Archive:

1.Stop Splunk

2.Backup your current install using tar

  1. Extract the tar.gz where splunk is installed, only splunk files will be overwritten, you won't loose any thing. (even if backing up is always a good idea)

Let's say you installed by default, splunk is installed in /opt/splunk

In terminal, go at top of splunk dir (cd /opt) and extract files (tar -xvf )

1.Start Splunk and accept changes

Also look for compatibility
http://docs.splunk.com/Documentation/Splunk/7.0.0/Forwarding/Compatibilitybetweenforwardersandindexe...

I hope this helps you!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...