Skip to main content
Lantern Home

 

Splunk Lantern

Upgrading to Enterprise Security 8.0.x - Prerequisites

Upgrading to Enterprise Security 8.x step 3 of 5
  1. Last updated
  2. Save as PDF

 

This article is part of a comprehensive guide to help you upgrade or migrate pre-8.0.x Splunk Enterprise Security deployments to Splunk Enterprise Security 8.0.x. If you do not feel comfortable completing these steps on your own and would prefer assistance in completing the upgrade, contact our Professional Services experts.

Validations

Prior to performing the upgrade:

  • Ensure you have completed enablement on the new features and workflows in the Splunk Enterprise Security (ES) 8.0.x app. For example, there is a new Splunk EDU self-paced eLearning course with hands-on simulations that gives an overview of the new features and configuration of (ES) 8.0 for the Splunk SOC.
  • If you are running ES 7.x on search head cluster (SHC), verify that it is a Linux based SHC. Windows-based SHCs are not supported in ES 8.0.x. For more information, see Limitations in the Release Notes.
  • Review the compatibility matrix to identify the version compatibility between ES and the Splunk platform.
  • Review the hardware requirements to make sure that your server hardware supports ES.
  • Review known issues with the latest release of ES.
  • Review deprecated features in the latest release of ES.
  • Ensure that you have approximately 3 GB of free space in the /tmp/ directory so that the upgrade can complete. Upgrading an app through either the CLI or Splunk Web UI uses the /tmp/ directory.
  • Check whether you are using any custom security domains in ES or custom apps to hold custom detections or other content. Detection versioning in ES 8.0.x will only work on detections within the DA-ESS-* or SA-* apps shipped with ES.
  • Review app compatibility (PCI, Mothership, Risk Notable Playbook Pack).
  • Review the splunkd health report on the ES search head. Verify that no components are reporting severe issues or warnings, and remediate any issues found prior to upgrading.
  • Review index=”_internal” for any errors occurring prior to the upgrade, and remediate any errors found. When performing upgrade, make note of the time, so later you can compare post-upgrade errors and warnings to any pre-upgrade errors and warning.

Backups

Before beginning an upgrade, back up your Splunk Enterprise Security search head, including the KV store.

  1. Run the following command to back up a single search head instance. The -p is to preserve file permissions, -z for gzip compression, +path names. tar -cpzf /backup_dir/sh-backup.tar.gz /opt/splunk/etc
  2. Next, to back up the KV store:
    1. Check the KV store status with the show kvstore-status command: ./splunk show kvstore-status
    2. Then run: create dir $SPLUNK_DB/backupdir and./splunk backup kvstore

For more detailed information on these processes, see:

To back out of the upgrade, you must restore the prior version of Splunk Enterprise Security from backup. There is no way to “roll back” the ES 8.0.x upgrade. This backup and restore process should be tested and validated before relying on it as an option in production.

Previous step

Next step

  • Written by Randy Trobock and Ted Skinner
  • Professional Services at Splunk