ES Upgrade 4.7.1 to 5.2.0 (customized .xml, .json ...

santosh_scb · ‎08-30-2019

Hi Team,

We are performing Splunk ES upgrade from 4.7.1 to 5.2.0.
Post upgrade, I have few .xml, .json files that needs to be mapped to ES5.2.0
For ex: We have customized correlation_search_edit.xml in ES 4.7.1 and it was modified.
Now, that in ES 5.2.0, correlation_search_edit.xml has been changed do I need to manually merge the above customized .xml changes post upgrade of ES to 5.2.0 or I can just keep local directory as it is post upgrade from ES 4.7.1 to ES 5.2.0 . I hope you understood my query.
Currently, I am not facing any issues but was thinking if it impacts the GUI display if I won't do manual merging of correlation_search_edit.xml file post upgrade.

Similar customizations have been done for some .json objects as well (Domain_Analysis.json, Incident_Management.json, Risk.json, Application_State.json, Authentication.json...). So for all these customizations do I need to manually merge post upgrade to ES 5.2.0

We are performing PROD ES. upgrade and post upgrade I need to be sure that all dashboards and datamodels are running without any issues.
regards, Santosh

jawaharas · ‎08-30-2019

You should refer this document - Planning an upgrade of Splunk Enterprise Security.

The upgrade inherits any configuration changes and files saved in the app /local and /lookups paths.
The upgrade maintains local changes to the menu navigation.

jawaharas · ‎09-04-2019

@santosh_scb
If my answer helped you, please accept and/or upvote it!

ES Upgrade 4.7.1 to 5.2.0 (customized .xml, .json files functionality)

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases