Upgrade Splunk Enterprise 8.1.x to 9.2

Na_Kang_Lim

Hi,

As the title suggests, I want to "revive" a Splunk lab in our company, which was running on version 8.1.2.

My target is version 9.2.10

The lab consists of a full Splunk deployment - it has Cluster Master, multisite Indexer Cluster, Search Head Cluster, SH Deployer, Deployment Server and a few UFs.

I have read through some docs about upgrading Splunk, and it appeared to me that I have to through 2 upgrade steps: From 8.1.2 to 9.0 (I am planning to upgrade it to 9.0.4 first), then from 9.0.4 to 9.2.10.

Currently Splunk is running in the /home/splunk folder.

What I concern most is: How to retain the data of the Indexers?

I saw a vid showing the upgrade process, in which they tar the whole $SPLUNK_HOME folder for backup. But that process is quite challenging if you have TBs of data in the $SPLUNK_HOME/var/lib folder, right? Is there any other way to retain data, after upgrading?

Also, is there any other thing I should take note of? Any suggestions, recommendations, is welcome

PickleRick

You don't _have to_ do a backup just to do the upgrade. Backup is... for backup. In case something goes south you can restore your data. It's often not convenient to backup whole installation including indexed data but it's always a sound idea to backup Splunk's configuration, apps, state (kvstore, input checkpoints and so on). It's way easier to do if you have your space partitioned - store Splunk data separately from Splunk's main directory. At least for the indexers. Which you apparently don't do. So you might get away with skipping your index directories from backup but since everything by default resides in $SPLUNK_HOME/var/lib it will be tricky to properly select the stuff to backup and in case of disaster properly remove old stuff without touching the indexed data.

PrewinThomas

@Na_Kang_Lim

You don’t need to back up terabytes of raw index data to upgrade Splunk. As long as you perform a rolling upgrade of your indexer cluster and don’t delete or overwrite $SPLUNK_DB your indexed data will remain intact. But back up configurations.

Indexed data lives under $SPLUNK_DB. You don’t need to tar this entire directory unless you want a full disaster-recovery backup.

Backup your configs from etc.
$SPLUNK_HOME/etc → all configs, apps etc..

During an in-place upgrade, Splunk preserves buckets. As long as you don’t wipe $SPLUNK_DB, your TBs of data remain usable.

Upgrade Path
-Upgrade from 8.1.2 → 9.0.x
-Upgrade from 9.0.x → 9.2.10

Better to perform rolling upgrade.
#https://help.splunk.com/en/data-management/manage-splunk-enterprise-indexers/9.2/deploy-the-indexer-...

Check this doc before upgrade
#https://help.splunk.com/en/splunk-enterprise/administer/install-and-upgrade/9.2/upgrade-or-migrate-s...

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Na_Kang_Lim

Upgrade Path
-Upgrade from 8.1.2 → 9.0.x
-Upgrade from 9.0.x → 9.2.10

Can I do this from instance to instance?

Like:

Do I upgrade to 9.2 from instance to instance

OR

I upgrade to 9.0 on all instances, then upgrade to 9.2 on all instances

PickleRick

No. You have to first bring your whole environment to the supported configuration (like 8.1->9.0), then go for another step.

Upgrade Splunk Enterprise 8.1.x to 9.2

administration

configuration

installation

upgrade

using Splunk Enterprise

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Are you a member of the Splunk Community?

Upgrade Splunk Enterprise 8.1.x to 9.2