Installation

Is it possible to directly upgrade from Enterprise 6.2 to 6.5.2?

rbathla
New Member

HI Team,

We are planning a Splunk Enterprise upgrade from v6.2 to v6.5.2 on Linux.

While going through documentation, I have few queries:

  1. Our current version is 6.2.. Can we directly upgrade to version 6.5.2 or we have to follow any path?
  2. Is indexer of v6.5.2 backward compatible to forwarder of v4.2? I am asking this as this will help me getting Splunk server (with indexer) upgraded quickly and I will buy some time to upgrade all the forwarders in couple of next weeks.
  3. During installation, will server auto-detect the current licensing?
  4. Our installation is a single instance deployment. How much time roughly can this upgrade take?
  5. Is there any other limitation/constraint I need to be aware during this upgrade?
Labels (1)
Tags (3)
0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

Ill give a quick answer to this. Yes you can do a direct upgrade. Since you are running a single instance, this is very straight forward and simple. Just upgrade.

Is indexer of v6.5.2 backward compatible to forwarder of v4.2? I am asking this as this will help me getting Splunk server (with indexer) upgraded quickly and I will buy some time to upgrade all the forwarders in couple of next weeks.

Forwarders are independant of the indexers in regards to server compatibility. However, functionality will be limited by the version of forwarder in use.

During installation, will server auto-detect the current licensing?

It will upgrade with the in place license.

Our installation is a single instance deployment. How much time roughly can this upgrade take?

Depends on how much data you have indexed on disk. Bucket structure hasnt changed in 6 releases at all. So I would assume an upgrade play should run no longer then 10 minutes on a single instance. If you have terabytes of indexed data on disk, this could take longer and bucket manifests are validated on startup...

Is there any other limitation/constraint I need to be aware during this upgrade?

Indexing will be stopped...

View solution in original post

esix_splunk
Splunk Employee
Splunk Employee

Ill give a quick answer to this. Yes you can do a direct upgrade. Since you are running a single instance, this is very straight forward and simple. Just upgrade.

Is indexer of v6.5.2 backward compatible to forwarder of v4.2? I am asking this as this will help me getting Splunk server (with indexer) upgraded quickly and I will buy some time to upgrade all the forwarders in couple of next weeks.

Forwarders are independant of the indexers in regards to server compatibility. However, functionality will be limited by the version of forwarder in use.

During installation, will server auto-detect the current licensing?

It will upgrade with the in place license.

Our installation is a single instance deployment. How much time roughly can this upgrade take?

Depends on how much data you have indexed on disk. Bucket structure hasnt changed in 6 releases at all. So I would assume an upgrade play should run no longer then 10 minutes on a single instance. If you have terabytes of indexed data on disk, this could take longer and bucket manifests are validated on startup...

Is there any other limitation/constraint I need to be aware during this upgrade?

Indexing will be stopped...

rbathla
New Member

Appreciate a quick response!!

Is there any other limitation/constraint I need to be aware during this upgrade?
Indexing will be stopped...

Just to clarify, does it mean indexing will be stopped only during the upgrade. Post Splunk upgrade to v6.5 and restart, will it still be able to catch up with the data. It does not need forwarder to be upgraded before it starts indexing and catching up?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Correct, once restarted, indexing will be open to continue ingesting from the forwarders. There is no need to upgrade forwarders.

0 Karma

rbathla
New Member

Thanks!!

Another question I have about upgrade is:

We have Splunk enterprise 6.2 installed on Linux server. During installation, it was installed with user "splunk". Further, while starting splunk server, it was done using user "root",

Directory and files under $Splunk_home$ eg. bin, lib etc are created with "splunk" user has permission of 755.
Now, DB files under directory and sub-directory $Splunk_home$/var/lib/splunk are created with "root" user and has permission of 755.

I am not sure what is the best user to use to do the upgrade to 6.5.2 because both "root" and "splunk" user will face issue while writing on the files as there is a mixture.

Is there any solution you can suggest on this?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

So this is common when you have users not using service splunk restart/start/stop. I see it in the field somewhat frequently.

You remediation here is to stop Splunk as root, and make sure all the processes are killed. Then

chown -R splunk:splunk /opt/splunk

Then you can run your upgrade plays, typically as the splunk user and start.

0 Karma

rbathla
New Member

This is great.

Do you suggest that after changing the ownership, I start the server as "splunk" user. This way, it will not have mixture of files from two different users or if there is any constraint that start can happen only with root user?

Can I do it now before the upgrade so that I do not have to worry about this issue on Thursday when Splunk enterprise upgrade is planned?

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@rbathla - If esix provided an answer to your original question, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Change it before you do the upgrade. That way you dont have any permissions related issues.

To keep it from happening, educate your admins on the proper way to start and stop services in Linux.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...