Site Search

Splunk

Splunk

Splunk technical blog Part 2 ~Technical support case version upgrade edition~

Introduction

Hello, I'm in charge of Macnica Splunk support.
In the second Splunk technical support case study, we'll take a step away from troubleshooting and focus on updating Splunk.

Splunk basically updates to address vulnerabilities and known bugs. Additionally, versions that have reached End Of Service are no longer covered by manufacturer support or our support. Therefore, in order to use Splunk with a stable and supported version, version upgrades are unavoidable. In this blog, we will introduce the steps for upgrading and some points to consider based on actual inquiries.

Customer requests

  • I want to upgrade my Splunk Enterprise environment
  • I want to prevent business problems from occurring due to version updates.

Inquiry matters

  • Question 1: What is the upgrade procedure?
  • Question 2: Will the imported logs be deleted by version upgrade?
  • Question 3: Is there anything I should be careful about to ensure that the dashboard (App) I use for work is not affected?

Flow to solution

Question 1: What is the upgrade procedure?

Review the following points to determine the appropriate upgrade procedure.

<Point 1-1>

  • composition
    The procedure differs depending on whether you have a single configuration or a cluster configuration.

<Point 1-2>

  • upgrade path
    Depending on the version you are using, you may need to upgrade in stages to reach the target version.
    Example) v 8.0.x → v 8.2.x → v 9.1 etc.

<Points 1-3>

  • Version compatibility with forwarders
    The forwarder and indexer (in this case, a single Splunk Enterprise) are version compatible. Therefore, if compatibility is lost, you will need to upgrade the forwarder version as well.

When responding to support, we will check the current environment based on the content of your inquiry and guide you through the steps based on the points mentioned above.

・Environmental information (excerpt)

  • OS on which Splunk is installed: Linux version 3.10.0-1160.el7.x86_64
  • Splunk configuration: 1 unit configuration
  • Splunk Enterprise current version/updated version: 7.3.x → 9.0.x
  • Universal forwarder version: 7.3.x

Answer ①

<Assumption>

  • About version upgrade path
    You cannot directly upgrade your version to v9.0, so you will need to upgrade to v8.1 once.
  • About forwarder version upgrades The universal forwarder v7.3 you are using is compatible with indexer v9.0. However, as the full support period has ended, we recommend upgrading.
    *You can check the support period for each product below.
    https://www.splunk.com/en_us/legal/splunk-software-support-policy.html

In addition, if you want to upgrade the forwarder to v9.0, just like the indexer, you need to first upgrade to v8.1 and then to v9.0.

<Version upgrade procedure>

  • The steps for upgrading are as follows.
  1. Stop universal forwarder
  2. stop indexer
  3. Indexer version upgrade
    1. Disable Splunk's autostart settings if you have them enabled.
    2. Take backup of settings and data area
    3. Run the target version installer
    4. Grant the Splunk execution user access to the installation directory
    5. Enable Splunk autostart settings if needed
  4. Universal forwarder version upgrade
    1. Disable Splunk's autostart settings if you have them enabled.
    2. Take configuration backup
    3. Run the target version installer
    4. Grant the Splunk execution user access to the installation directory
    5. Enable Splunk autostart settings if needed
  5. start indexer
  6. start forwarder
    *More detailed instructions will be provided during support.

Question 2: Will the imported logs be deleted by version upgrade?

Answer ②

Splunk stores configuration files and data areas separately, and version updates are performed only on configuration files. Therefore, even if you upgrade the version, the logs that have been acquired will not be deleted. However, please back up your configuration files and data area just in case.

Question 3: Is there anything I should be careful about to ensure that the dashboard (App) I use for work is not affected?

<Point 3-1>

  • Python versions supported by Splunk
    Starting with Splunk Enterprise 8.0, the supported Python version has changed from 2.7 to 3.7. As a result, depending on the App/Add-on you are using, it may not be compatible with Python3.7 and may not work properly when upgraded to Splunk Enterprise 8.0 or later. Therefore, it is necessary to check compatibility and take measures in advance.

Answer ③

installed App/Add-on and after the upgrade Splunk Enterprise This may result in version incompatibility. Therefore, please check the compatibility in advance and use the Splunk Enterprise Target before upgrading App/Add-on Please perform the upgrade.
App/Add-on
and Splunk Enterprise You can check compatibility using the following method:

① Check on Splunkbase (https://splunkbase.splunk.com/)

You can check by going to the target App/Add-on page > [Compatibility].

②Check with Splunk Platform Upgrade Readiness App

What is the Splunk Platform Upgrade Readiness App?
This is an app that allows you to check the compatibility of Apps/Add-ons installed in Splunk with Splunk Enterprise v 9.0 series and Python 3.7. You can also check custom apps that you have created yourself.

*It is installed by default on Splunk Enterprise versions 8.2 and later.
If you are using a version lower than 8.2, please download from Splunkbase.

・About the Splunk Platform Upgrade Readiness App

https://docs.splunk.com/Documentation/UpgradeReadiness/latest/Use/About

[How to use Upgrade Readiness App]

  1. Log in to Splunk Web > Select [Upgrade Readiness App]
  2. > [Run New Scan] > Select scan target > [Scan]
  3. Check [Status] from Splunk Platform Compatibility Scan Results
  4. For Apps/Add-ons that require action, specific action details will be notified after the check is completed.
  5. Upgrade according to notification details, and review scripts for custom apps.

Result of response

The issue was closed after the customer carried out the work based on the information provided and informed us that there was no problem with the operation after the version upgrade. 

in conclusion

Until the end Thank you for reading.

What did you think. We hope that this blog will be helpful when updating the version. In addition, the version upgrade procedure, added functions, known issues, etc. are described in the manufacturer's documentation, so please be sure to check here when upgrading.

Macnica maintenance users may also refer to the following FAQs.

Inquiry/Document request

In charge of Macnica Splunk Co., Ltd.

Weekdays: 9:00-17:00