Preparing to upgrade from 9.x to the upcoming release of Splunk Enterprise and Cloud Platform
This article is for Splunk platform 9.x customers and provides an ongoing summary of the breaking changes that we at Splunk anticipate in upcoming releases of Splunk Enterprise and Splunk Cloud Platform. We have included detailed information about the nature of these changes, affected customers, and mitigation strategies. The objective is to inform you about these upcoming changes and provide the necessary information to plan and act promptly.
While there are no specific upgrade timelines yet, timely action will help minimize disruptions and maintain optimal performance. We will update this page to serve as a definitive reference for Splunk administrators and application developers regarding breaking changes in the upcoming update, and will provide specific release dates of the next Splunk platform upgrade as soon as they are available. Stay informed on developments here to ensure a smooth transition.
If your operations require compliance with the Federal Information Processing Standard (FIPS), this article is particularly important to ensure that you meet all compliance requirements and maintain a FIPS-compliant environment. All customers who operate a Splunk Enterprise FIPS compliant environment will have until March 8, 2026, to complete the upgrade to the next Splunk Enterprise version to remain compliant with FIPS.
Sign up for the next Splunk Enterprise beta to ensure your environment and applications are compatible and prepared to upgrade. Refer to this previous communication for details.
The Splunk Health Assistant Add-On
The Splunk Health Assistant Add-On supplements the Splunk Enterprise Monitoring Console with new validations through Splunkbase. Customers can update the validation logic delivered through the Splunk Enterprise Monitoring Console before updating their Splunk Enterprise deployments. This lets Splunk release new validation logic between Splunk platform releases that is tailored to identifying issues that might arise during updates to the Splunk platform.
When new versions of the Splunk Health Assistant Add-on are published to Splunkbase, the Splunk Enterprise Monitoring Console will notify customers automatically. Updating the Splunk Health Assistant Add-on does not require a restart.
Splunk Cloud Platform customers will have access to a subset of these validations relevant to the Splunk Cloud Platform via the Splunk Cloud Platform Monitoring Console. Installation of these checks happens automatically, and customers do not need to restart their deployments.
The new validations delivered to the Splunk Enterprise Monitoring Console and Splunk Cloud Platform Monitoring Console relate to issues that customers should proactively investigate before starting a Splunk platform update. Each new validation includes remediation steps that customers can take before starting their Splunk platform upgrade process. Where possible, customers should carefully review these results and take action early to ensure a smooth update process.
Dependency Upgrades
OpenSSL library version update
- Summary: The OpenSSL library that ships with Splunk Enterprise and Splunk Cloud Platform will be updated from version 1.0.2 to 3.0.
- Affected customers: Splunk Enterprise and Splunk Cloud Platform customers who use apps that are implemented in Python and that directly interact with low-level APIs in the OpenSSL library.
- Issue detection and mitigation: Python code with a direct dependency on deprecated low-level APIs that are present in OpenSSL 1.0.2 might experience failures especially in FIPS mode after upgrading to the next Splunk Enterprise update, as some of the APIs are not FIPS-compliant in OpenSSL 3.0. Apps with a direct dependency on OpenSSL APIs should be updated to use supported APIs of OpenSSL 3.0.
Python runtime environment version update and removal of support of older versions
- Summary: The Python runtime environment that ships with Splunk Enterprise and Splunk Cloud Platform will be updated from version 3.7 to 3.9. Additionally, support for older versions of Python, including versions 2.7 and 3.7, will be removed. Apps that are implemented in Python must be compatible with Python 3.9.
- Affected customers: Splunk Enterprise customers who use apps that are dependent on Python 2.7 or Python 3.7.
- Issue detection and mitigation: While the Splunk platform logs failures that arise from Python scripts to the
_internalindex from thepython.logsource, do not rely on this alone. and ensure that any mission-critical apps that you use have been tested to work with Python v3.9. Configure your Splunk platform instance to force usage of Python v3.9 for app code by editing theserver.confconfiguration file and, in the[general]stanza, setpython.version=force_python3. This option is available to customers who use Splunk Enterprise version 9.2 and higher. Then, thoroughly review that the functionality in mission-critical apps behaves as you expect.
Upgrade to Node.js JavaScript runtime environment version update
- Summary: The Node.js runtime environment that ships with Splunk Enterprise and Splunk Cloud Platform will be updated from version 8 to version 20. Apps that run backend JavaScript code that uses Node.js must be compatible with version 20.18.2 and higher.
- Affected customers: Splunk Enterprise or Splunk Cloud Platform customers who use Splunk apps that run backend JavaScript using the Node.js runtime.
- Issue detection and mitigation: Ensure any apps that leverage Node.js are compatible with version 20 of this runtime.
Security
Certificate Authority (CA) certificate is required due to OpenSSL3
- Summary: Splunk software will require that all CA certificates include the X509v3 Basic Constraints extension with a
CA:TRUEvalue, due to OpenSSL3 requirements. - Affected customers: All customers who use either:
- Splunk Enterprise, or
- Splunk Cloud Platform including customer managed
- Forwarders (universal or heavy), or
- Federated Search nodes.
- Issue detection and mitigation: Any CA certificate that does not include
CA: TRUEin the X509v3 Basic Constraints section must reissue a new certificate with this configuration in use by their Splunk software.
TLS network security protocol version 1.2 or higher is required
- Summary: Any app or system configurations that define transport layer security (TLS) or Secure Sockets Layer (SSL) protocol versions must only use TLS version 1.2. The next version of the Splunk platform will still support TLS 1.0 and TLS 1.1, even though those versions have been deprecated for over 5 years, but if your Splunk software runs in FIPS mode, these protocols are specifically disabled.
- Affected customers: Customers who run Splunk software in FIPS mode must take action on deprecated protocol usage. All other Splunk Enterprise and Splunk Cloud Platform customers, and all Splunk app developers that rely on deprecated TLS/SSL protocols, should take proactive action on deprecated protocol usage.
- Issue detection and mitigation: For Splunk Enterprise customers, usage of deprecated network security protocols will be flagged by the new checks that come in the Splunk Enterprise Monitoring Console through the Splunk Health Assistant Add-on. On Splunk Cloud Platform, the Cloud Monitoring Console provides these alerts. Migrate all network security configurations to TLS v1.2 only.
Extended Master Secret requirement for FIPS 140-3
- Summary: FIPS publication #140-3 enforces Extended Master Secret (EMS), a TLS security feature that ensures unique session keys for every connection. OpenSSL version 1 and FIPS publication # 140-2 modules do not support EMS. This means that all nodes in a Splunk platform deployment – including forwarders, search heads, indexers, management nodes, and Federated Search components – in deployments where FIPS mode is turned on, must be updated to the next version of the Splunk platform and be configured to use FIPS 140-3 mode. Splunk will publish a detailed upgrade guide to document this process.
- Affected customers: Customers who use the Splunk platform in FIPS-compliant environments.
- Issue detection and mitigation:
- Splunk Enterprise customers whose environments are FIPS-compliant should first upgrade to the next version of the Splunk platform that has support for both FIPS 140-2 and 140-3. Carefully follow the upgrade guide when it becomes available.
- Splunk Cloud Platform FedRAMP customers should contact Splunk Support to coordinate the upgrade of all search heads and indexers that are part of their Splunk Cloud Platform deployment to the next version of the Splunk Cloud Platform with FIPS 140-2, followed by the customer updating all forwarders to the next version of the Splunk platform with FIPS 140-2. After completing these steps, customers need to contact Splunk Support again to enable FIPS 140-3 on all Splunk Cloud Platform components while the customer updates all customer-managed components to FIPS 140-3.
Deprecation and Removals
Hadoop Data-Roll turned off by default
- Impacted feature: The Hadoop Data Roll index bucket data archiving service has been deprecated in Splunk Enterprise 9.4 and will no longer be supported in the Splunk platform.
- Affected customers: Splunk Enterprise customers that currently use Hadoop Data Roll.
- Issue detection and mitigation: Customers that use Hadoop Data Roll will need to migrate off, or stay on Splunk Enterprise 9.4 and lower. Learn more about other indexed data archiving options here.
Unsafe v1 search APIs turned off by default
- Impacted feature: Any apps or scripts that are dependent on v1 of the Splunk Search API.
- Affected customers: Splunk Enterprise and Splunk Cloud Platform customers, especially those using older versions of Splunk Machine Learning Toolkit (MLTK) or Splunk App for SOAR Export (SASE) or with custom or third-party apps that leverage v1 of the Search API. Supported versions of those apps are MLTK v5.5 and higher and SASE v4.3.13 and higher.
- Known issues: Forthcoming updates to the Splunk Enterprise Security and Splunk ITSI apps will be required for compatibility with the v2 Search API. Customers who are migrating to the next Splunk Enterprise version before installing these app updates must revert the
v1APIBlockGETSearchLaunchsetting in the restmap.conf configuration file tofalseto maintain compatibility. This is recommended as a short-term workaround only until such time as Splunk Enterprise Security and Splunk ITSI updates are possible. - Issue detection and mitigation: Splunk will deliver readiness checks to the Splunk Enterprise Monitoring Console through the Splunk Health Assistant Add-on. The add-on identifies when apps make calls to unsupported versions of the Search API. Splunk Cloud Platform customers will receive the same functionality through the Splunk Cloud Monitoring Console. Customers should take the following actions before updating their Splunk platform deployment to the next platform version:
- Update any of the apps identified earlier in this section to the latest available version.
- View documentation for instructions on how to locate the source of any remaining deprecated REST calls.
- Update the
v1APIBlockGETSearchLaunchsetting in the[global]stanza of therestmap.conffile totrue. Then, ensure apps continue to behave as you expect. Update any apps that experience problems to leverage the corresponding v2 Search API endpoints.
The latest Splunk SDK versions include the previously described changes for apps that use supported Splunk SDKs such as Python, Java, and JavaScript.
Compliance Changes
MongoDB upgrade for OpenSSL support
- Impacted feature: Splunk is updating MongoDB, the database engine for the KV Store service, from version 4.2 to 7.0, to align with OpenSSL v3.0 and FIPS 140-3 compliance requirements.
- Affected customers: Customers who run a FIPS-compliant version of Splunk Enterprise that runs MongoDB version 4.2.
- Issue detection and mitigation: Splunk Enterprise customers who cannot upgrade to a version that runs MongoDB version 7.0 should continue to use FIPS 140-2 mode to stay compliant with FIPS. After customers have upgraded to the next Splunk Enterprise release, they can follow the FIPS 140-3 upgrade guide to move to MongoDB version 7.0 and subsequently to FIPS 140-3 mode.