Splunk Enterprise

Upgrade 7.2.3 to 9.3.0

BB2
Explorer

I have a question.  We have an stand alone Splunk instance in AWS running version 7.2.3 and are looking to upgrade it to 9.3.0.  I see to get to that version I will have to do about 4 upgrades.  Also since our current version is running on RedHat version 6.4,  I would have to upgrade that to get be able to run the current version

What I am curious about is, AWS has a Splunk 9.3.0 AMI with BYOL.   Would it be possible to migrate the data over to the new instance along with the configuration settings?  This is used as a customer lab so we only have about a dozen universal forwarders pointing to this server.  There are no alerts running on it and only 3 dashboards.

The splunk home is stored on a separate volume than the OS so I could detach it from the old instance and attach it to the new one, or snapshot it and use the snapshot on the new one.  

Any suggestions for this?

Thanks.

Labels (1)
0 Karma
1 Solution

BB2
Explorer

Thanks everyone

I will go through the upgrade route then.  It will be safer that way.

View solution in original post

0 Karma

BB2
Explorer

Thanks everyone

I will go through the upgrade route then.  It will be safer that way.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

One problem with transferring $SPLUNK_HOME from one Splunk instance to a newer one is you will be taking the old Splunk built-in apps with you, which would not be a Good Thing.

Another potential problem is you will miss out on the migration actions taken during upgrades.  If you've upgraded Splunk before, have a look at $SPLUNK_HOME/var/log/splunk/migration.log.* to see what is done behind the scenes during an upgrade.  Without that work, you may be carrying useless (or even harmful) cruft to the new version and may miss out on important changes.

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Yup. As @richgalloway said, if by configuration you mean copying over all the stuff in $SPLUNK_HOME, that means simply copying your whole installation in whatever version it is right now. Since apps are simply just collections of files, some of them being an important part of the overall configuration, you usually can't just not copy them and expect everything to work as it used to.

You probably could just copy over indexed data - that should work. But then you'd need to _at least_ copy over index definitions as well. And probably some datamodel definitions and acceleration configurations (although those you can rebuild but it takest time). And then you'll find yourself wanting to preserve some other configuration items, reports, dashboards and... in the end it turns out it's better to just upgrade the whole thing as it was.

You could try to manually isolate the "Splunk config" items, copy them over with indexed data to the new instance and then try to (again - manually) migrate settings from each app separately but that will mean you have to install each app from scratch, check if the app didn't change from the version you use now to a new version (a huge part of your apps probably still uses python 2 so there are definitely changes in the apps themselves).

There are some possible paths out of your 7.2.3 but they do involve a lot of effort which you might actually save by doing those multiple upgrades in place.

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...