Upgrade Splunk Enterprise from 6.5.x to 7.2.x

Upgrading Splunk Enterprise from 6.5.x to 7.2.x is relatively easy and straightforward, but one thing to be cautious about is that there is no approach of downgrading to previous version once upgraded. Taking backup and having a restore plan does suffice instead of downgrading. We really don’t need to upgrade Universal Forwarders (UF) at the same time when upgrading Enterprise if they are compatible with newly upgraded Splunk Enterprise.

No alt text provided for this image

Below are the list of things to be sure before upgrading.

  1. Browsing through Splunk documentation is daunting, but read the Splunk Document before upgrading.
  2. Check Splunk Base to make sure that your apps are compatible with Splunk Enterprise version 7.2.x
  3. Is your environment is “Distributed Search” or “Indexer cluster
  4. Make sure your file system is minimum of ext3
"file -sL /dev/xv*"
  1. Check your universal Forwarder upgrade compatibility from the above picture.

Actual Upgrade Steps

In my case, we have Indexer Cluster (2 indexes are clustered with one search head and one master) and they are deployed on 4 AWS EC2 Linux instances.

  1. Take an AMI Snapshot of each EC2 Machine (to restore complete instance if upgrade fails).
  2. Take backup of /opt/splunk from all 4 EC2 Machines (easy way to restore if upgrade fails).
  3. Shutdown Splunk in all EC2 instances.
$SPLUNK_HOME/bin/splunk stop

4. Download Latest version of Splunk 7.2.x (tar file)


5. Extract the tar file in /opt in all 4 ec2 instances (2 indexers, one search head and one mater). This overwrites and replaces matching files but does not remove unique configuration files.

tar xzf splunk-7.x.x-<version-info>.tgz -C /opt

6. Start Splunk in all 4 ec2 instances

$SPLUNK_HOME/bin/splunk start --accept-license --answer-yes

You can find all migrated/upgraded information in the logfile.


Once Enterprise is upgraded, you can follow same steps to upgrade UF.

Leave a Reply

No comments to display
Be the first to comment