Step 1) Before you upgrade Splunk Enterprise Security
- Review the compatible versions of the Splunk platform.
- Review the hardware requirements to make sure that your server hardware supports Splunk Enterprise Security.
- Review known issues with the latest release of Splunk Enterprise Security.
- Review deprecated features in the latest release of Splunk Enterprise Security
- Back up the search head, including the KV Store. The upgrade process does not back up the existing installation before upgrading
- Back up Search Head
tar -cvf etc.tar,gz etc
- Back Up KV store
Check the KV store status
To check the status of the KV store on any deployment type, use the show kvstore-status command:
./splunk show kvstore-status
Backup kv store
create dir $SPLUNK_DB/backupdir
./splunk backup kvstore
- Back up Search Head
6.Approximately 1 GB of free space is required in the /tmp/ directory for the upgrade to complete. When upgrading an app through either the CLI or Splunk Web UI, the /tmp/ directory is utilized during the process.
Step 2) Download Splunk Enterprise Security
- Open splunk.com and log in with your Splunk.com ID. You must be a licensed Enterprise Security customer to download the product.
- Download the latest Splunk Enterprise Security product.
Step 3) Install the latest Splunk Enterprise Security
The installer dynamically detects if you’re installing in a single search head environment or search head cluster environment. The installer is also bigger than the default upload limit for Splunk Web. For more information on installing Splunk Enterprise Security, see Install Splunk Enterprise Security.
Increase the Splunk Web upload limit to 1 GB by creating a file called $SPLUNK_HOME/etc/system/local/web.conf with the following stanza.
max_upload_size = 1024
To restart Splunk from the Splunk toolbar, select Settings > Server controls and click Restart Splunk.
On the Splunk Enterprise search page, select Apps > Manage Apps and choose Install App from File.
Step 4) Upgrade Splunk Enterprise Security using the UI
1. Select the Splunk Enterprise Security product file.
2. Click Choose File and select the Splunk Enterprise Security product file.
3. Click Upgrade app to overwrite the existing Splunk Enterprise Security installation.
4. Click Upload to begin the installation.
5. When prompted, configure Splunk Enterprise Security.
6. Click Restart Splunk
Through CLI Upgrade :
./splunk install app <app_package_filename> -update 1 -auth <username>:<password>
Step 5) Set up Splunk Enterprise Security
1. Click Continue to app setup page to start the ES setup.
2. Click Start.
3. The Splunk Enterprise Security Post-Install Configuration page indicates the upgrade status as it moves through the stages of installation.When the setup is complete, the page may prompt you to restart Splunk Platform services if you opted to enable SSL before the setup.
4. Click Restart Splunk to finish the installation.
Step 6) Validate the upgrade
The Splunk Enterprise Security upgrade process is now complete. Objects disabled during the upgrade process will automatically be enabled.
1. On the Enterprise Security menu bar, select Audit > ES Configuration Health.
2. Review potential conflicts and changes to the default settings. See ES Configuration Health in the User Manual.
3. Clear the browser cache of the browser you use to access Splunk Web to make sure that you access a fresh version of Splunk Web after upgrading. If you do not clear the browser cache, some pages might fail to load.
Splunk logs the upgrade in $SPLUNKHOME$/var/log/splunk/essinstaller2.log
If you are still facing issue regarding configuring indexer in splunk Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on 👍 Social Networks, happy Splunking >😉