Preparing to upgrade from 9.x to Splunk Enterprise and Cloud Platform 10.0

OpenSSL library version update

• Summary: The OpenSSL library that ships with Splunk Enterprise and Splunk Cloud Platform will be updated from version 1.0.2 to 3.0.
• Affected customers: Splunk Enterprise and Splunk Cloud Platform customers who use apps that are implemented in Python and that directly interact with low-level APIs in the OpenSSL library.
• Issue detection and mitigation: Python code with a direct dependency on deprecated low-level APIs that are present in OpenSSL 1.0.2 might experience failures especially in FIPS mode after upgrading to Splunk Enterprise 10.0, as some of the APIs are not FIPS-compliant in OpenSSL 3.0. Apps with a direct dependency on OpenSSL APIs should be updated to use supported APIs of OpenSSL 3.0.

Python runtime environment version update and removal of support of older versions

• Summary: The Python runtime environment that ships with Splunk Enterprise and Splunk Cloud Platform will be updated from version 3.7 to 3.9. Additionally, support for older versions of Python, including versions 2.7 and 3.7, will be removed. Apps that are implemented in Python must be compatible with Python 3.9.
• Affected customers: Splunk Enterprise customers who use apps that are dependent on Python 2.7 or Python 3.7.
• Issue detection and mitigation: While the Splunk platform logs failures that arise from Python scripts to the _internal index from the python.log source, do not rely on this alone. and ensure that any mission-critical apps that you use have been tested to work with Python v3.9. Configure your Splunk platform instance to force usage of Python v3.9 for app code by editing the server.conf configuration file and, in the [general] stanza, set python.version=force_python3. This option is available to customers who use  Splunk Enterprise version 9.2 and higher. Then, thoroughly review that the functionality in mission-critical apps behaves as you expect.  

Upgrade to Node.js JavaScript runtime environment version update 

• Summary: The Node.js runtime environment that ships with Splunk Enterprise and Splunk Cloud Platform will be updated from version 8 to version 20. Apps that run backend JavaScript code that uses Node.js must be compatible with version 20.18.2 and higher.
• Affected customers: Splunk Enterprise or Splunk Cloud Platform customers who use Splunk apps that run backend JavaScript using the Node.js runtime.
• Issue detection and mitigation: Ensure any apps that leverage Node.js are compatible with version 20 of this runtime.

Certificate Authority (CA) certificate is required due to OpenSSL3

• Summary: Splunk software will require that all CA certificates include the X509v3 Basic Constraints extension with a CA: TRUEvalue, due to OpenSSL3 requirements.
• Affected customers: All customers who use either:
  • Splunk Enterprise, or
  • Splunk Cloud Platform including customer managed
    • Forwarders (universal or heavy), or
    • Federated Search nodes.
• Issue detection and mitigation: Any CA certificate that does not include CA: TRUE in the X509v3 Basic Constraints section must reissue a new certificate with this configuration in use by their Splunk software.

TLS network security protocol version 1.2 or higher is required 

• Summary: Any app or system configurations that define transport layer security (TLS) or Secure Sockets Layer (SSL) protocol versions must only use TLS version 1.2. Splunk platform 10.0 will still support TLS 1.0 and TLS 1.1, even though those versions have been deprecated for over 5 years, but if your Splunk software runs in FIPS mode, these protocols are specifically disabled.
• Affected customers: Customers who run Splunk software in FIPS mode must take action on deprecated protocol usage. All other Splunk Enterprise and Splunk Cloud Platform customers, and all Splunk app developers that rely on deprecated TLS/SSL protocols, should take proactive action on deprecated protocol usage.
• Issue detection and mitigation: For Splunk Enterprise customers, usage of deprecated network security protocols will be flagged by the new checks that come in the Splunk Enterprise Monitoring Console through the Splunk Health Assistant Add-on. On Splunk Cloud Platform, the Cloud Monitoring Console provides these alerts. Migrate all network security configurations to TLS v1.2 only.

Extended Master Secret requirement for FIPS 140-3

• Summary: FIPS publication #140-3 enforces Extended Master Secret (EMS), a TLS security feature that ensures unique session keys for every connection. OpenSSL version 1 and FIPS publication # 140-2 modules do not support EMS. This means that all nodes in a Splunk platform deployment – including forwarders, search heads, indexers, management nodes, and Federated Search components – in deployments where FIPS mode is turned on, must be updated to the next version of the Splunk platform and be configured to use FIPS 140-3 mode. Splunk will publish a detailed upgrade guide to document this process.
• Affected customers: Customers who use the Splunk platform in FIPS-compliant environments.
• Issue detection and mitigation:
  • Splunk Enterprise customers whose environments are FIPS-compliant should first upgrade to Splunk Enterprise 10.0 which has support for both FIPS 140-2 and 140-3. Carefully follow the upgrade guide when it becomes available.
  • Splunk Cloud Platform FedRAMP customers should contact Splunk Support to coordinate the upgrade of all search heads and indexers that are part of their Splunk Cloud Platform deployment to Splunk Cloud Platform 10.0 with FIPS 140-2, followed by the customer updating all forwarders to the next version of the Splunk platform with FIPS 140-2. After completing these steps, customers need to contact Splunk Support again to enable FIPS 140-3 on all Splunk Cloud Platform components while the customer updates all customer-managed components to FIPS 140-3.

Changes to supported CPU instruction sets 

• Summary: Support for CPUs with Advanced Vector extension (AVX). To upgrade to Splunk Enterprise 10.0, confirm that the computers that run the software support the following architectures:  
  • Intel: Sandy Bridge or later Core processor family , with the Streaming SIMD Extensions (SSE) 4.2, AVX, and Advanced Encryption Standard – New Instructions (AES-NI) instruction sets. 
  • AMD: a Bulldozer or later processor, with AVX instruction sets. 
• Affected customers: Splunk Enterprise customers who run computers with older Intel CPUs that use the Westmere or earlier architectures (for example, the Core i3, i5, and i7, Xeon, and Pentium families) or older AMD CPUs that use the Gen 3 Bulldozer or earlier architectures (for example, the Opteron and AMD FX families). 
• Issue detection and mitigation: Customers who run Splunk Enterprise on machines with unsupported CPUs must remain on Splunk Enterprise 9.3.x or below.

Hadoop Data Roll turned off by default

• Summary: The Hadoop Data Roll index bucket data archiving service has been deprecated in Splunk Enterprise 9.4 and will no longer be supported in Splunk Enterprise 10.0.
• Affected customers: Splunk Enterprise customers that currently use Hadoop Data Roll.
• Issue detection and mitigation: Customers that use Hadoop Data Roll will need to migrate off, or stay on Splunk Enterprise 9.4 and lower. Learn more about other indexed data archiving options  here.

Unsafe v1 search APIs turned off by default

• Summary: Any apps or scripts that are dependent on v1 of the Splunk Search API.
• Affected customers: Splunk Enterprise and Splunk Cloud Platform customers, especially those using older versions of Splunk Machine Learning Toolkit (MLTK) or Splunk App for SOAR Export (SASE) or with custom or third-party apps that leverage v1 of the Search API. Supported versions of those apps are MLTK v5.5 and higher and SASE v4.3.13 and higher.
• Known issues: Forthcoming updates to the Splunk Enterprise Security and Splunk ITSI apps will be required for compatibility with the v2 Search API. Customers who are migrating to Splunk Enterprise 10.0 before installing these app updates must revert the v1APIBlockGETSearchLaunch setting in the restmap.conf configuration file to false to maintain compatibility. This is recommended as a short-term workaround only until such time as Splunk Enterprise Security and Splunk ITSI updates are possible.
• Issue detection and mitigation: Splunk will deliver readiness checks to the Splunk Enterprise Monitoring Console through the Splunk Health Assistant Add-on. The add-on identifies when apps make calls to unsupported versions of the Search API. Splunk Cloud Platform customers will receive the same functionality through the Splunk Cloud Monitoring Console. Customers should take the following actions before updating their Splunk platform deployment to the next platform version:
  • Update any of the apps identified earlier in this section to the latest available version.
  • View documentation for instructions on how to locate the source of any remaining deprecated REST calls.
  • Update the v1APIBlockGETSearchLaunch setting in the [global] stanza of the restmap.conf file to true. Then, ensure apps continue to behave as you expect. Update any apps that experience problems to leverage the corresponding v2 Search API endpoints.

Minimum OS version requirements

• Summary: The minimum OS versions for search heads, indexers, heavy forwarders, and management nodes of Splunk platform 10.0 will be:

  OS Family	Without FIPS	With FIPS 140-2	With FIPS 140-3
  Linux	RHEL 8   RHEL 9   Ubuntu 20.04   Ubuntu 22.04   Ubuntu 24.04   Amazon Linux 2023   Rocky Linux / Alma Linux 8  Rocky Linux / Alma Linux 9  SLES 15 SP6  Debian 11  Debian 12  Oracle Linux 8  Oracle Linux 9	RHEL 8  RHEL 9  Ubuntu 20.04  Ubuntu 22.04  Ubuntu 24.04  Amazon Linux 2023	RHEL 9  Ubuntu 22.04  Ubuntu 24.04  Amazon Linux 2023
  Windows	Windows Server 2019  Windows Server 2022  Windows Server 2025	Windows Server 2019  Windows Server 2022  Windows Server 2025	Windows Server 2022  Windows Server 2025
  OS X	(Not supported)	(Not supported)	(Not supported)

  The minimum OS version for all universal forwarders will be:

  OS Family	Without FIPS	With FIPS 140-2	With FIPS 140-3
  Linux	RHEL 8   RHEL 9   Ubuntu 20.04   Ubuntu 22.04   Ubuntu 24.04   Amazon Linux 2023   Rocky Linux / Alma Linux 8  Rocky Linux / Alma Linux 9  SLES 15 SP6  Debian 11  Debian 12  Oracle Linux 8  Oracle Linux 9  Solaris 11.4  FreeBSD 13  FreeBSD 14  AIX 7.2  AIX 7.3	RHEL 8  RHEL 9  Ubuntu 20.04  Ubuntu 22.04  Ubuntu 24.04  Amazon Linux 2023	RHEL 9 Ubuntu 22.04  Ubuntu 24.04  Amazon Linux 2023
  Windows	Windows Server 2019  Windows Server 2022  Windows Server 2025  Windows 11	Windows Server 2019  Windows Server 2022  Windows Server 2025  Windows 11	Windows Server 2022  Windows Server 2025  Windows 11
  OS X	MacOS 13  MacOS 14  MacOS 15

• Affected customers: Customers who run Splunk Enterprise or self-managed forwarding tiers that send data to Splunk Cloud Platform.
• Issue detection and mitigation: 
  • Splunk Enterprise customers must ensure their entire deployment runs on compatible OS versions for their deployment type.   
  • Splunk Cloud Platform customers must ensure that any parts of their Splunk deployment that run outside of Splunk Cloud Platform, such as self-managed forwarding tiers, run on OS that meet the previously-described specifications.

Docker-Splunk EULA user acceptance 

• Summary: A new required parameter is being introduced for explicit user acceptance of the Splunk General Terms licensing agreement when using the Docker-Splunk images from DockerHub to deploy Splunk Enterprise as a Docker container.
• Affected customers: Customers installing Splunk Enterprise 10.0 from the Docker-Splunk image.
• Issue detection and mitigation: Review the updated EULA and confirm you have accepted the terms on existing Docker-Splunk deployments. For new deployments, update the installation script to use the current acceptance command line arguments.

Splunk Operator for Kubernetes (SOK) EULA user acceptance

• Summary: Starting with SOK version 3.0.0, which includes support for Splunk Enterprise 10.0, an additional Docker-Splunk specific parameter is required to start containers for the Docker operating system virtualization service. This is a breaking change, and user action is required. This change provides a mandatory acknowledgment mechanism for the Splunk General Terms (SGTs).
• Affected customers: Customers who want to upgrade Splunk Operator for Kubernetes to version 3.0.0 or higher.
• Issue detection and mitigation: By default, the SPLUNK_GENERAL_TERMS environment variable will be set to an empty string. Customer must either manually update it to have the value --accept-current-at-splunk-com in the splunk-operator-controller-manager deployment, or can pass the SPLUNK_GENERAL_TERMS parameter with the required value to the make deploy command: make deploy IMG=docker.io/splunk/splunk-operator:<tag name> WATCH_NAMESPACE="namespace1" RELATED_IMAGE_SPLUNK_ENTERPRISE="splunk/splunk:edge" SPLUNK_GENERAL_TERMS="--accept-current-at-splunk-com" 

More documentation for applying the changes will be provided with the Splunk Operator for Kubernetes 3.0.0 release. 

MongoDB upgrade for OpenSSL support

• Summary: Splunk is updating MongoDB, the database engine for the KV Store service, from version 4.2 to 7.0, to align with OpenSSL v3.0 and FIPS 140-3 compliance requirements.
• Affected customers: Customers who run a FIPS-compliant version of Splunk Enterprise that runs MongoDB version 4.2.
• Issue detection and mitigation: Splunk Enterprise customers who cannot upgrade to a version that runs MongoDB version 7.0 should continue to use FIPS 140-2 mode to stay compliant with FIPS. After customers have upgraded to the Splunk Enterprise 10.0 release, they can follow the FIPS 140-3 upgrade guide to move to MongoDB version 7.0 and subsequently to FIPS 140-3 mode.