Topics

| pdf version

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Read this first before upgrading to 3.1.x

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4

Read this first before upgrading to 3.1.x

If you are upgrading from 3.0.x to 3.1, there are no special instructions.


If you are upgrading from 2.x to 3.1.x, you must perform some additional steps to manually re-implement some of your 2.2.3 and earlier configurations using 3.0 methods.


The following describes some major changes in 3.1.x that you should understand prior to beginning the upgrade.


Form search

Search strings can now contain variables that are rendered as form elements in SplunkWeb. When used with saved searches, you can search efficiently without knowing the details of the search language. Form search simplifies searching by asking you to input exactly the parameters you are looking for, instead of a complete and potentially complex search.


Search language simplification

As a result of ongoing simplification of the search language, you can now use equal signs where double colons were required. In prior releases, search field syntax required a double colon but extracted field syntax required an equal sign. For example, host::splunker was used for the host search field and myfield=value was used for the extracted field myfield. Now, you can use equal signs when performing searches in both search and extracted fields.


  • For example: key::value pairs are expressed as field="value" or field=value.
  • When searching literally for a key=value pair, you must place quotes around the literal expression of the key value pair.
"key=value" | top Search
  • A bug with time-based search modifiers in saved searches occurs because of the implementation of the search language simplification. See the 3.1 Known Issues page under "search and navigation" for details.

Archiving

With the introduction of enhanced archiving and the export command, you can now archive your Splunk data based on time and size, critical for large and long-term data storage issues common with compliance mandates. This data can be easily resurrected back into Splunk for historical searches, and you can now export data simply and easily to put Splunk-gathered data anywhere. See the 3.1 changelog for links to the new commands and features.

Retrieved from "http://www.splunk.com/base/Documentation/3.1.1/Installation/ReadThisFirstBeforeUpgradingTo31x"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.