Satisnet Ltd, Basepoint Innovation Centre, 110 Butterfield Great Marlings, Luton, Bedfordshire, LU2 8DL enquiry@satisnet.co.uk
+44 (0) 1582 434320

New Features and Upgrading Tips for Splunk (7.1)

New Features and Upgrading Tips for Splunk (7.1)

New Features and Upgrading Tips for Splunk (7.1)

Splunk Enterprise 7.1 is the most recent release available to all Splunk users. In this blog I will cover a few areas of new features, issues, fixes and upgrading tips in the new version.

New Look

Splunk now has a new UI providing apps a modern look, with a lighter, flatter design. See below how the Search app looks in the new look compared with the older:

Upgrading Tips for Splunk

New Features

  1. SplunkWeb user interface update – Significant visual updates to the SplunkWeb, the interactive graphical user interface in Splunk software.
  2. Upgrade indexer clusters and search head clusters with minimal search disruption - The admin user must specify a non-default password when installing Splunk Enterprise. See updated installation procedures for your platform in the Installation Manual.
  3. Users - Admins can configure user lockout after a specified number of failed login attempts and can set custom requirements for password length, complexity, and expiration. See Configure a Splunk password policy in Securing Splunk Enterprise.
  4. Metrics - Improvements in metrics storage and query. See mstats in Search Reference.
  5. Diag UI - Ability to generate diagnostic files for customer support from Splunk Web, for specific nodes or an entire deployment. See Generate a diagnostic file in the Troubleshooting Manual.

Known Issues

  1. Dashboard time range picker selected state does not correctly display certain ranges
  2. After installing Splunk on Windows using msiexec and the "GENRANDOMPASSWORD=1" option admin is unable to login with msg "No users exist. Please set up a new user."
    Workaround:
    Create a $SPLUNK_HOME/etc/system/local/user-seed.conf and restart Splunk
    [user_info]
    PASSWORD = <yourpassword>
  3. Enabling/Disabling acceleration for a data model creates an unnecessary copy of the data model JSON in <appname>/local/data/models/<model>.json

Fixed Issues

Found here: https://docs.splunk.com/Documentation/Splunk/7.1.0/ReleaseNotes/Fixedissues

Upgrade Tips

  1. Always check every instance current version
  2. Check the installed apps for compatibility with the version you are looking to upgrade to.
  3. Test the installed apps by installing an instance on an upgraded instance for testing to check if it works.
  4. Make sure you check whether your indexers are installed as a cluster. The upgrade differs when this is the case.
  5. Downtime– If you can have down time then upgrade all peers (indexers) in a cluster at the same time.
  6. No Downtime – If you cannot have downtime then make sure you upgrade the peers one at a time.
  7. Remember though, your master indexer/Node needs to be upgraded first and put into maintenance mode.
    Run splunk enable maintenance-mode on the master. To confirm that the master is in maintenance mode, run splunk show maintenance-mode. This step prevents unnecessary bucket fix-ups. See Use maintenance mode.
  8. Universal Forwarders do not always need to be upgraded (check this on Splunk) If you do then upgrade these last.
  9. The order that works for me is as follows:
    1. Cluster Master
    2. Search Heads
    3. Deployer(s)
    4. Indexers
    5. Heavy Forwarders
    6. Deployment Server
    7. Universal Forwarders (optional)

Useful Links