Step 1) Before you upgrade Splunk Enterprise Security

  1. Review the compatible versions of the Splunk platform.
  2. Review the hardware requirements to make sure that your server hardware supports Splunk Enterprise Security.
  3. Review known issues with the latest release of Splunk Enterprise Security.
  4. Review deprecated features in the latest release of Splunk Enterprise Security
  5. Back up the search head, including the KV Store. The upgrade process does not back up the existing installation before upgrading
    1. Back up Search Head
       tar -cvf  etc.tar,gz  etc

    2. Back Up KV store
        Check the KV store status
        To check the status of the KV store on any deployment type, use the show kvstore-status command:
        ./splunk show kvstore-status

      Backup kv store
      create dir $SPLUNK_DB/backupdir
      ./splunk backup kvstore

6.Approximately 1 GB of free space is required in the /tmp/ directory for the upgrade to complete. When upgrading an app through either the CLI or Splunk Web UI, the /tmp/ directory is utilized during the process.


Step 2) Download Splunk Enterprise Security

  • Open and log in with your ID. You must be a licensed Enterprise Security customer to download   the  product.
  • Download the latest Splunk Enterprise Security product.

Step 3) Install the latest Splunk Enterprise Security

The installer dynamically detects if you’re installing in a single search head environment or search head cluster environment. The installer is also bigger than the default upload limit for Splunk Web. For more information on installing Splunk Enterprise Security, see Install Splunk Enterprise Security.

Increase the Splunk Web upload limit to 1 GB by creating a file called $SPLUNK_HOME/etc/system/local/web.conf with the following stanza.

max_upload_size = 1024

To restart Splunk from the Splunk toolbar, select Settings > Server controls and click Restart Splunk.
On the Splunk Enterprise search page, select Apps Manage Apps and choose Install App from File.

Step 4) Upgrade Splunk Enterprise Security using the UI
    1. Select the Splunk Enterprise Security product file.
    2. Click Choose File and select the Splunk Enterprise Security product file.
    3. Click Upgrade app to overwrite the existing Splunk Enterprise Security installation.
    4. Click Upload to begin the installation.
    5. When prompted, configure Splunk Enterprise Security.
    6. Click Restart Splunk

Through CLI Upgrade :

Step 5) Set up Splunk Enterprise Security
  1. Click Continue to app setup page to start the ES setup.
  2. Click Start.
  3. The Splunk Enterprise Security Post-Install Configuration page indicates the upgrade status as it moves through the                              stages of  installation.When the setup is complete, the page may prompt you to restart Splunk Platform services if you opted to        enable SSL  before  the  setup.
4. Click Restart Splunk to finish the installation.

Step 6) Validate the upgrade

The Splunk Enterprise Security upgrade process is now complete. Objects disabled during the upgrade process will automatically be enabled.
    1. On the Enterprise Security menu bar, select Audit > ES Configuration Health.
    2. Review potential conflicts and changes to the default settings. See ES Configuration Health in the User Manual.
    3. Clear the browser cache of the browser you use to access Splunk Web to make sure that you access a fresh version of Splunk Web after upgrading. If you do not clear the browser cache, some pages might fail to load.
    Splunk logs the upgrade in $SPLUNKHOME$/var/log/splunk/essinstaller2.log


If you are still facing issue regarding configuring indexer in splunk Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on 👍 Social Networks, happy Splunking >😉