New Features and Upgrading Tips for Splunk (7.1)
Splunk Enterprise 7.1 is the most recent release available to all Splunk users. In this blog I will cover a few areas of new features, issues, fixes and upgrading tips in the new version.
Splunk now has a new UI providing apps a modern look, with a lighter, flatter design. See below how the Search app looks in the new look compared with the older:
- SplunkWeb user interface update – Significant visual updates to the SplunkWeb, the interactive graphical user interface in Splunk software.
- Upgrade indexer clusters and search head clusters with minimal search disruption - The admin user must specify a non-default password when installing Splunk Enterprise. See updated installation procedures for your platform in the Installation Manual.
- Users - Admins can configure user lockout after a specified number of failed login attempts and can set custom requirements for password length, complexity, and expiration. See Configure a Splunk password policy in Securing Splunk Enterprise.
- Metrics - Improvements in metrics storage and query. See mstats in Search Reference.
- Diag UI - Ability to generate diagnostic files for customer support from Splunk Web, for specific nodes or an entire deployment. See Generate a diagnostic file in the Troubleshooting Manual.
- Dashboard time range picker selected state does not correctly display certain ranges
- After installing Splunk on Windows using msiexec and the "GENRANDOMPASSWORD=1" option admin is unable to login with msg "No users exist. Please set up a new user."
Create a $SPLUNK_HOME/etc/system/local/user-seed.conf and restart Splunk
PASSWORD = <yourpassword>
- Enabling/Disabling acceleration for a data model creates an unnecessary copy of the data model JSON in
- Always check every instance current version
- Check the installed apps for compatibility with the version you are looking to upgrade to.
- Test the installed apps by installing an instance on an upgraded instance for testing to check if it works.
- Make sure you check whether your indexers are installed as a cluster. The upgrade differs when this is the case.
- Downtime– If you can have down time then upgrade all peers (indexers) in a cluster at the same time.
- No Downtime – If you cannot have downtime then make sure you upgrade the peers one at a time.
- Remember though, your master indexer/Node needs to be upgraded first and put into maintenance mode.
Run splunk enable maintenance-mode on the master. To confirm that the master is in maintenance mode, run splunk show maintenance-mode. This step prevents unnecessary bucket fix-ups. See Use maintenance mode.
- Universal Forwarders do not always need to be upgraded (check this on Splunk) If you do then upgrade these last.
- The order that works for me is as follows:
- Cluster Master
- Search Heads
- Heavy Forwarders
- Deployment Server
- Universal Forwarders (optional)
- Upgrading a cluster -
- Upgrading a search head cluster -
- Upgrading universal forwarders – (different process than splunk enterprise)