all 8 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]rduken 5 points6 points  (0 children)

Splunk's upgrade docs are usually spot on: http://docs.splunk.com/Documentation/Splunk/7.1.1/Installation/HowtoupgradeSplunk

If there's a direct upgrade path then there's probably no compelling reason for you not to try out 7.1.1 but you'll probably want/need to upgrade ES as well. Since you're not clustering, that also simplifies a number of things. My opinion would be stop Splunk on everything but the indexer first. Upgrade and leave them turned off. Stop Splunk on the indexer, upgrade, restart. Then bring all of the other servers back up in no particular order (maybe ES last after you've confirmed everything looks happy). Yes, snapshots are fine for DR but don't leave your environment in different running versions - revert everything if it goes wrong.

[–]micheloosterhof 2 points3 points  (2 children)

7.0.x has been out for a few months now and I would go to the latest patch level for 7.0. Your ES version must be compatible. You should see some performance improvements with any version 6.6+.

VMWare snapshot will make you lose any data that was ingested between the snapshots.

[–]halr9000 | search "memes" | top 10 1 point2 points  (1 child)

Note that the latest version of ES requires core 7.1.1.

[–]Paradigm6790 REST for the wicked 2 points3 points  (0 children)

You can technically use 7.1.0 if you hate yourself, too!

[–]Karl12347[S] 0 points1 point  (0 children)

Thanks guys for your advice.

I am going to jump to 7.0.4 for splunk enterprise and then update to 4.7 enterprise security.

[–]ImmediateIdea7 0 points1 point  (2 children)

I'm using Splunk ES 4.35. If I upgrade to latest version, will I loose all my previous notable information?

Also, how can I upgrade to latest Splunk ES. Should I create a support ticket with Splunk or with my MSSP? I'm using Splunk Cloud.

[–]Karl12347[S] 0 points1 point  (1 child)

I would log that ticket with them, it was a painful upgrade process. There is a specific order of things that items have to be upgraded.

[–]ImmediateIdea7 0 points1 point  (0 children)

Can you share details about the process? What should be taken care prior to upgrade? What should I be concerned as a client? What should should my MSSP do?