Kick-Start Your Splunk Software Upgrade with a Few Best Practices


(This post was updated June 28th, 2021)

A big multi-national company upgraded their large clustered Splunk Enterprise and Splunk Enterprise Security (ES) deployment. Their environment has a 5-member search head cluster, nearly 20,000 forwarders on 14 different versions, and almost 400 heavy forwarders on five different versions across seven different business units. 

And it all went off without a hitch.

OK, there were a few hitches—for example, they wish they'd notified their user communities better about the maintenance window so they didn't get support calls during the upgrade. But the upgrade itself went smoothly, and they had their environment back up and running with new features well within their planned maintenance window. 

So what made their upgrade go so well? In a word, planning.

The Splunk Best Practices team drew from this customer's success to develop some upgrade planning tools to get your upgrade started on the right foot. Based on feedback from many upgrades, we focused on three questions:

  1. What works with what? 
  2. How do I avoid common pitfalls? 
  3. What order do I do things in? 

Version Compatibility: What Works with What? 

During upgrade planning, one of the first things to check is the compatibility of your Splunk premium apps and forwarders with your Splunk Enterprise destination version. To make it super easy, we created the Splunk Versions Compatibility Matrix on Splunk Docs—a single place where you can look up what versions work together without having to search through multiple different doc sets. 

The Splunk Versions Compatibility Matrix is easy to find right from the Splunk Docs home page under Best Practices. 

Avoiding Pitfalls: What Are Considerations That Affect an Upgrade? 

We partnered with Splunk Professional Services to get a handle on areas where people often struggle with upgrades. Luckily, these things are all covered in the documentation. With the Docs team, we took it a step further to clarify where these considerations come into play and how they affect the upgrade. For example:

  1. Changes that can potentially break Splunk Enterprise installations
  2. Occurrences that appear as problems but are normal
  3. Considerations for changed or removed features
  4. Considerations for new features 

You will find all these considerations listed in the topic About Upgrading READ THIS FIRST in the Splunk Enterprise Installation Manual.

Where to Start: What is the Order of Operations for a Splunk Upgrade? 

That question inspired the General Process to Upgrade Splunk Enterprise diagram that we posted on Splunk Answers to give you a high-level overview of how to plan and execute a Splunk Enterprise upgrade. The graphic includes where apps and add-ons fit in, when to upgrade forwarders, and links to documentation topics that explain what to do. Follow this post for updates and join in the conversation! 

This general process works for all Splunk Validated Architectures—just skip the components that aren't relevant to your deployment.

If All Else Fails: Where Can I Go for Help? 

Another best practice is to check in with your Customer Success Manager or your Splunk account team to have them validate your upgrade plan and help you fine-tune it. For hands-on upgrade planning and implementation services, contact Splunk Professional Services or request a technical partner through OnDemand Services.

Posted by