Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Downgrade splunk from 7.0.1 to 6.5.2

rajupats91
New Member
‎01-12-2018 04:48 AM

I have upgraded our Splunk ent version to latest 7.0.1. For some business reason, I want to downgrade again to 6.5.2.

I found a statement like "Splunk Enterprise does not provide a means of downgrading to previous versions. If you need to revert to an older Splunk release, uninstall the upgraded version and reinstall the version you want."

I will uninstall 7.0.1 and again install 6.5.2. But I have a few questions.

  1. Does this downgrade supported?
  2. Is data format of index file have changed in this version? if yes, then what could be the issue for newly added/existing data after upgrade to 7.0.1?
  3. Can I have my universal forwarder to 7.0.1 and Splunk peer/search heads to 6.5.2?
  4. Any other impact if any
Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-12-2018 05:56 AM
  1. The process of (up/down)grading, by uninstalling one version of Splunk and replacing it with another would be supported. http://docs.splunk.com/Documentation/Splunk/6.2.2/Installation/Upgradeto6.2onUNIX
  2. I don't believe (but can find no evidence) the format of the indexes has changed between 6.x and 7.x - but this is not the case between all versions.
  3. Splunk recommends that you use a UF not later than then HF/Indexers to which it is sending events. However older UFs are supported on later HF/Indexers - With that said, I have a 'right-old' mixture of version 4-7 UFs sending to my 6.5.x deployment, and there are no issues. https://docs.splunk.com/Documentation/Splunk/7.0.1/Forwarding/Compatibilitybetweenforwardersandindex...
  4. Backup, -nuff said!. Datamodels will likely have to rebuild following a change of version, but should require no action on your part.
If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

svinukon
New Member
‎04-03-2020 07:14 AM

Do we just backup etc folder or the enitre Splunk install directory?

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-12-2018 05:56 AM
  1. The process of (up/down)grading, by uninstalling one version of Splunk and replacing it with another would be supported. http://docs.splunk.com/Documentation/Splunk/6.2.2/Installation/Upgradeto6.2onUNIX
  2. I don't believe (but can find no evidence) the format of the indexes has changed between 6.x and 7.x - but this is not the case between all versions.
  3. Splunk recommends that you use a UF not later than then HF/Indexers to which it is sending events. However older UFs are supported on later HF/Indexers - With that said, I have a 'right-old' mixture of version 4-7 UFs sending to my 6.5.x deployment, and there are no issues. https://docs.splunk.com/Documentation/Splunk/7.0.1/Forwarding/Compatibilitybetweenforwardersandindex...
  4. Backup, -nuff said!. Datamodels will likely have to rebuild following a change of version, but should require no action on your part.
If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-12-2018 05:47 AM

Hi,

That's no big deal, and the answer is NO you won't loose your change:

1.custom config files in "local" dir (eg. system/local...)

2.App installed ans associates files

3.indexes...

But if you have modified system files whitout creating the overwritten version in local dirs, yes these changes will probably be lost.

As for an example, if you have custom limits configuration, don't modify system/defaults/limits.conf but create a new files including your setting in system/local/limits.conf

To upgrade from previous release when you installed through the tarball Archive:

1.Stop Splunk

2.Backup your current install using tar

  1. Extract the tar.gz where splunk is installed, only splunk files will be overwritten, you won't loose any thing. (even if backing up is always a good idea)

Let's say you installed by default, splunk is installed in /opt/splunk

In terminal, go at top of splunk dir (cd /opt) and extract files (tar -xvf )

1.Start Splunk and accept changes

Also look for compatibility
http://docs.splunk.com/Documentation/Splunk/7.0.0/Forwarding/Compatibilitybetweenforwardersandindexe...

I hope this helps you!

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top