Skip to main content
Lantern Home

 

Splunk Lantern

Preparing to upgrade from 10.x to Splunk Enterprise and Cloud Platform 10.4

  1. Last updated
  2. Save as PDF

This article provides a summary of changes to the Splunk Enterprise and Splunk Cloud Platform coming in version 10.4 (collectively, "Splunk platform 10.4" for the rest of this document). The article includes detailed information about the nature of these changes, the parties that the changes affect, and any necessary mitigation strategies. The objective of this article is to help you plan and act promptly.

Potentially breaking changes

Customers and app developers alike should carefully review all changes in this section as you prepare to migrate to Splunk platform 10.4 since there is a potential for disruption.

Removal of support for versions 1.0 and 1.1 of the transport layer security (TLS) protocol

  • Summary: Splunk has removed support for versions 1.0 and 1.1 of the TLS encryption protocol.
  • Overview: Splunk deprecated support for TLS versions 1.0 and 1.1 for network connections between Splunk components in Splunk Enterprise 10.0 and completely removed support in version 10.4. Migrate to using TLS version 1.2 or higher for network connections between Splunk components.
  • Affected customers: Any customers with networking configurations or apps that rely on TLS versions 1.0 or 1.1.
  • Issue detection and mitigation guidance: Update any system or app configurations to use TLS version 1.2 or higher. Where possible, remove configurations for lower protocol versions at the same time. The Splunk Health Assistant check "Deprecated TLS Protocol Versions in Splunk Configuration" identifies use of older TLS configurations.

Removal of support for Secure Hash Algorithm 1 (SHA1) certificate signatures

  • Summary: Splunk has removed support for certificate signatures that are based on the SHA1 hash function.
  • Overview: Splunk deprecated support for the usage of certificates with SHA-1 signatures in Splunk platform 10.0 and completely removed support in Splunk platform 10.4. Re-issue and migrate to certificates that use SHA-256 or higher signatures.
  • Affected customers: Customers that use certificates with SHA-1 signatures.
  • Issue detection and mitigation guidance: Re-issue and migrate to certificates with signatures that use SHA-256 or higher signatures. The following Splunk Health Assistant checks identify the use of SHA1 with SAML configurations:
    • For Splunk Enterprise customers: "Removed support for Duo Traditional Prompt"
    • For Splunk Enterprise and Splunk Cloud Platform customers: "Removed support for SHA-1 signed certificates"

Removal of unsupported MongoDB database engine binaries

  • Summary: Splunk removed the binary files that were associated with older versions of the MongoDB database engine.
  • Overview: Splunk removed the binaries for unsupported versions of the MongoDB database engine from the installation package in Splunk Enterprise 10.4.
  • Affected customers: Customers that use App Key Value Store (KV Store) with MongoDB versions between 4.2 and 6.
  • Issue detection and mitigation guidance: Upgrade KV Store to MongoDB engine version 7 or higher before upgrading to Splunk Enterprise version 10.4. For Splunk Enterprise customers, the Splunk Health Assistant check "MongoDB Versions" identifies instances that use MongoDB versions below 7.

Changes in TLS-related settings in the [kvstore] stanza of the server.conf configuration file

  • Summary: Splunk changed how App Key Value Store (KV Store) uses TLS-related settings in the server.conf configuration file.
  • Overview: Splunk adjusted the logic that determines whether KV Store uses TLS-related settings in the [kvstore] stanza or falls back to similar settings in the [sslConfig] stanza of the server.conf configuration file. Prior to Splunk platform 10.4, KV Store ignored TLS-related settings under the [kvstore] stanza that were also present in the [sslConfig] stanza. Beginning with Splunk platform 10.4, KV Store uses TLS-related settings that are present in the [kvstore] stanza first. This might cause unintended connection failures due to conflicting protocol configurations.
  • Affected customers: Customers with one or more TLS-related settings for KV Store that are currently under the [kvstore] stanza in the server.conf file, that KV Store currently ignores if the same settings also appear in the [sslConfig] stanza.
  • Issue detection and mitigation guidance: Review both stanzas in the server.conf file and remove any TLS-related settings under the [kvstore] stanza that you do not specifically use for securing KV Store connections. For Splunk Enterprise customers, the Splunk Health Assistant check "Incomplete App Key Value Store (KV Store) TLS Settings" identifies problems that could arise from partial values in the [kvstore] stanza.

Changes to running Splunk Enterprise as an administrator-level user on Windows

  • Summary: Splunk no longer lets you install Splunk Enterprise to run as an administrator-level Windows user.
  • Overview: Splunk has removed the ability to install Splunk Enterprise as an Administrator-level user on Windows. When you upgrade to Splunk Enterprise 10.4, how your deployment is configured determines how the installer upgrades the software:
    • If the instance runs as the local system user, the installer reconfigures it to run as a local service account.
    • If the instance runs as a domain user, the installer halts the installation and directs you to remove that user from the local Administrators group.
    • If the instance runs as a local service account, the installer retains that configuration.
    For new installations, you can choose to run the instance as either a local service account or a domain user account. The domain user account cannot be a member of the local Administrators group on the Windows machine.
  • Affected customers: Any customers who run Splunk Enterprise on Windows.
  • Issue detection and mitigation guidance: Review your Splunk Enterprise on Windows deployment configuration prior to starting an upgrade. Where possible, reconfigure the instance to run as a low-privileged local service account. If you currently run the instance as a Windows domain user to access resources that are on or external to the machine that hosts the deployment, remove that user from the local Administrators group. Confirm that the domain user still has access to all the resources that it had access to prior to removing it from the local Administrators group. For new installations of Splunk Enterprise, it is no longer possible to install the software to run as the Local System account. Instead, either install it to run as a local service account or use a domain account if you need to access internal or external resources.

Changes in required permissions to auto-refresh dashboards

  • Summary: Splunk changed the capability requirements that you must satisfy to view dashboards that auto-refresh.
  • Overview: Splunk changed the capability requirements for users who want to view dashboards that refresh automatically. With Splunk platform 10.4, non-administrator users must hold a role that contains the auto_refresh_dashboards capability.
  • Affected customers: Any customers who view auto-refresh dashboards and who are not the "admin" or "sc_admin" user or their equivalents.
  • Issue detection and mitigation guidance: If you have access to the admin or sc_admin accounts on the instance, add the auto_refresh_dashboards capability to a role that you can then grant to users who need to view auto-refreshing dashboards.

Removal of jQuery version 2

  • Summary: Splunk removed all components associated with version 2 of the jQuery JavaScript library for HTML Document Object Model traversal and manipulation.
  • Overview: Splunk has fully removed jQuery version 2 (jQuery 2) from the Splunk platform. This means that Splunk deleted the jQuery upgrade admin page, all jQuery libraries with a version of lower than 3, the quarantine framework, and all associated feature flags, including enable_jQuery2 and enable_unsupported_hotlinked_imports. All platform JavaScript now runs on jQuery version 3 and higher. Apps that hotlink jQuery 2 or rely on jQuery 2-specific APIs will no longer function.
  • Affected customers: Third-party app developers and customers whose Splunk apps:
    • Use Simple XML dashboard version 1.0 (classic dashboards rendered through the jQuery 2/Backbone.js stack)
    • Either use jQuery 2 directly or hot-link jQuery 2 libraries
    • Depend on the enable_jQuery2 / enable_unsupported_hotlinked_imports feature flags
  • Issue detection and mitigation guidance:
    • Migrate classic (version 1.0) dashboards to version 1.1 using the dashboard migration tool before starting an upgrade.
    • Run App Inspect checks against your apps to identify usage of jQuery 2 and hot-linked library dependencies.
    • Migrate app JavaScript to jQuery 3-compatible APIs.

Non-breaking changes

Customers and app developers should be aware of the following changes, but Splunk does not expect the changes to cause problems.

Update of the default Python interpreter from version 3.9 to version 3.13

  • Summary: Splunk updated the default version of the Python interpreter that it uses in Splunk platform products from 3.9 to 3.13.
  • Overview: Splunk updated the default Python interpreter from version 3.9 to version 3.13. This update does not change which Python interpreter runs or how the platform selects an interpreter to use. The Upgrade Readiness and App Inspect checks now present warnings if the platform is configured to use version 3.9.
  • Affected customers: Customers who use apps and technology add-ons that rely on Python to run.
  • Issue detection and mitigation guidance: Upgrade your apps and scripts to use Python version 3.13 so that when Splunk eventually removes support for version 3.9, your apps don't break. Use the python.required setting in various configuration files to explicitly declare support for Python version 3.13.

In-product notifications

Splunk uses the Splunk Cloud Monitoring Console and the Splunk Enterprise Monitoring Console, alongside the Splunk Health Assistant Add-on, to notify customers of potential issues that it detects on their Splunk platform installations. Splunk will continue to release new checks through these tools to assist customers with preparation for migration to Splunk platform 10.4, as we did with Splunk platform 10.2.

To learn more about these tools, check the following links:

Get help

Interested in having a Splunk expert give you their opinion on your readiness for migration to Splunk platform 10.4? Need help resolving specific issues? The Splunk OnDemand Services team has you covered. You can learn more about ODS and get in touch at Splunk OnDemand Services.