Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Upgrade

maheshnc
Path Finder
2 weeks ago

I am new as splunk administrator here in the company.  we are using Splunk enterprise and the current version is 9.2.4, and as per splunk document this version is supported until Jan 31 2026, can somebody guide me on  version upgrade, and also which version should we upgrade? Also, I am not sure about the risk in upgrading the version, please provide your suggestions.

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
2 weeks ago
Additional to other instructions, here is Splunk's best practice documentation for upgrade https://lantern.splunk.com/Manage_Performance_and_Health/Upgrading_the_Splunk_platform
0 Karma
Reply

thahir
Contributor
2 weeks ago

@maheshnc 

Please refer this url https://community.splunk.com/t5/Installation/What-s-the-order-of-operations-for-upgrading-Splunk-Ent... 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
2 weeks ago

For instructions on how to upgrade Splunk Enterprise, read the fine manual at https://help.splunk.com/en/splunk-enterprise/get-started/install-and-upgrade/9.4/upgrade-or-migrate-...

The choice of which version to install is yours.  I recommend a later version of 9.4.x.  This will help you prepare for Splunk 10 without the risk of the same.

IMO, the risk of upgrading usually is less than that of not upgrading and being on an unsupported version.  Splunk 10 is an exception since it contains many breaking changes for which careful planning is recommended.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

maheshnc
Path Finder
2 weeks ago

Could you let me know about the version compatibility for various instances, I mean can we indexers, search heads and Heavy forwarders with different versions or should they have the same version?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

Ideally, in a supported environment, all "main" components should be in the same version. You can get away with HFs running older versions (which is sometimes required if you have legacy systems for which you are using some legacy apps).

The order of upgrade can be deduced from the Installation Manual (and is charted in the post referenced somewhere else in this thread) but it can get tricky if your components have multiple roles.

Don't get me wrong but if you don't know nothing about upgrading Splunk and don't even know how to make a backup copy, maybe it's time to engage your local friendly Splunk Partner for this one and in the meanwhile set up a lab environment and train there before going all-in into the prod.

Reply

thahir
Contributor
2 weeks ago

@maheshnc

Yes, ideally all your Splunk components—indexers, search heads, deployers, cluster managers, and heavy forwarders—should run the same version and its recommended from Splunk.
 
 
For forwarders (both Universal and Heavy), Splunk officially supports a compatibility window where forwarders can be up to two major versions older than your indexers. You can find Splunk’s detailed compatibility guidelines at the official documentation link you referenced, which covers all combinations and exceptional scenarios.
 
 
 
High Level upgrade plan
 
-> Pre check
 
Apps/TA compatibility with the new version which you going to upgrade
Backup the Splunk etc folder, certs and KV store
-> follow the upgrade sequence order
-> Post upgrade: verify the cluster health and review the splunkd logs, if you have DMC in your infra go through the          console and do the health check
Reply

maheshnc
Path Finder
2 weeks ago

Could you please walk me through the backups needs to be taken/mandatory

0 Karma
Reply

thahir
Contributor
2 weeks ago

@maheshnc , Backup the entire $SPLUNK_HOME/etc/ directory. basically it will cover all of your config related files.

0 Karma
Reply

maheshnc
Path Finder
2 weeks ago

what should be sequence for upgrading? could you suggest the precautions to be taken which may overcome the risk as I am doing this upgrade for the first time.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...