Re: Upgrade ES

jovnice · ‎02-05-2026

I would like to upgrade from 9.0.0 to 10.2.0 while keeping the same license. The license is Splunk Enterprise - No Enforcement. Also, my 9.0.0 is not working correctly. It states that I can't update the KV store, and I also get this error message: Could not load lookup=LOOKUP-splunk_security_essentials. Will an upgrade help with that?

kknairr · ‎02-07-2026

@jovnice Splunk Enterprise upgrade is not tied with your license, so you are good to proceed after fixing the issues in KV Store.

For KV Store issues in Splunk, check for errors or warnings in mongod.log file.

Located under the path :

$SPLUNK_HOME/var/lib/splunk/kvstore/mongo

I highly recommend you to collect these ERROR details and raise a Support case with Splunk before trying any remediation from your end since KV Store troubleshooting can be critical for the entire Splunk setup. Had few bad experiences in the past with KV store troubleshooting and eventually contacted Splunk Support to recover.

For the Lookup error on Splunk Security Essentials, it could be related to either a corrupted or missing lookup file or running an app version not aligned with your current Splunk version, which is 9.0.0.

Hope this helps and happy to help if you have any further questions. 😊

> Marking the answer and giving Karma helps others find solutions faster!

jovnice · ‎02-09-2026

Thanks for your help. I will look into this further.

livehybrid · ‎02-05-2026

Hi @jovnice

Firstly, I dont think the upgrade should affect your license, so this shouldnt be an issue.

Regarding the KV Store update, if it was me I would focus on fixing this first before upgrading to 10.2.0.

You will need to upgrade from 9.0.x to 9.2.x and then 9.4.x before upgrading to 10.2.x (See https://help.splunk.com/en/splunk-enterprise/get-started/install-and-upgrade/10.2/upgrade-or-migrate...) - This will ensure any iterative upgrade requirements like KV Store upgrades are met, but like I said - Start with a working system!

The splunk_security_essentials lookup could be related to the KV Store issue, Im not 100% where this comes from so I would fix the KV Store issue first.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

jovnice · ‎02-05-2026

Thank you for the information. Is there any information on the KV store upgrade, or why it is not working?

PickleRick · ‎02-05-2026

1. You're asking about Splunk Enterprise, not ES (which is Enterprise Security).

2. Well, without more info we can't know why your upgrade doesn't work. Maybe you skipped some versions before, maybe your kvstore database is corrupted. That's what the logs are for - see what's in them.

jovnice · ‎02-06-2026

Yes, I mean SE (Splunk Enterprise). Thanks for responding.

I haven't tried the upgrade yet because I wasn't sure whether it would fix the kvstore database issue. I want to update once I know if it's working or if there is any documentation on the KVStore database.

PickleRick · ‎02-06-2026

You can find bits and pieces about kvstore in Splunk docs. It's "just" a mongodb instance so much of mongodb experience applies here as well.

jovnice · ‎02-09-2026

I've been looking there, but I didn't see the issue I'm having, so I can't troubleshoot.

kknairr · ‎02-13-2026

@jovnice Refer to my earlier response and let us know if that gives you direction.

Upgrade ES

installation

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation