While a lot of people may not like change, in the software development cycle it is essential and Splunk is no exception. With support for Splunk Version 8 set to end in May 2023, you might be thinking about upgrading to Splunk Version 9. But, given the innate wariness of change and the considerations involved in updating your software instance, you may also be wondering whether it’s worth it.

In this article, we’re going to run through everything you need to know about upgrading your Splunk V8 instance, what kind of changes you can expect to see, and why it’s important to make sure your platform is supported.

Looking for a list of the new features in Splunk V9? Check out our blog post here.

Splunk Version 8 End of Support Date

The End of Support Date (EOSD) for Splunk version 8 has been set for May 2023. After this time, the vendor will no longer allocate resources to maintain this version of Splunk Enterprise. This means anyone using Splunk Version 8 should plan for an upgrade to a supported version to continue to receive technical support and vital security patches going forward.

Things to consider before upgrading your Splunk instance

Making a decision about upgrading isn’t as straightforward as it might seem. On paper, everyone wants access to the latest features and functionality, but in reality, there are a number of factors to ensure the system remains stable, secure, and functional.

These factors include:

Compatibility

Any new version of Splunk Enterprise is likely to include new features and enhancements that can benefit your organisation. But it’s crucial to ensure that any new version of Splunk Enterprise you might implement is compatible with your existing hardware, operating system, and other software dependencies.

Compatibility issues can cause system failures or unexpected behaviour, and may require additional resources to fix before you can continue using Splunk as normal. You can check for any potential compatibility issues by reviewing the documentation provided by Splunk about the new version.

Known issues

Reviewing the list of known issues or bugs that are fixed in the updated version can help you work out whether any of these issues affect your current deployment. You can then evaluate how the updated version will address them, to ensure that the software is running smoothly and efficiently, without any significant issues or errors

Security vulnerabilities

Some of the most important fixes that come with a new version of any software will be around security. It’s worth finding out if the updated version includes any security enhancements or fixes that address vulnerabilities in your current version, so be sure to review the security release notes and evaluate how the updates will impact your existing security protocols. This can help to minimise the risk of security breaches, data loss, or other security-related incidents.

Impact on existing configurations

Before rolling out an updated version, check to see if the upgrade will trigger changes to existing Splunk configurations, such as data sources, alerts, or dashboards. If reconfiguration will be required, plan for the necessary changes to make sure they don’t impact the functionality or usability of the system.

Support

Finally, check the level of support provided by the vendor for the current version of the software. This information can help you determine the appropriate timeframe for the upgrade process.

Support for current Splunk releases

As a reputable software vendor, Splunk meticulously manages the software deployment lifecycle for each of its solutions—and you can find this lifecycle information in the Splunk Support Policy documentation.

This policy outlines key details like the scope and duration of support for Splunk product releases, and End of Support Dates (EOSD). The EOSD is the date after which a software vendor will no longer provide technical support, bug fixes, or security patches for a particular version of its software. Customers need to be aware of the EOSD so they can plan for upgrades, and avoid potential security risks and increased maintenance costs that can come with running out of date and unsupported versions.

At the time of writing, there are three Splunk Enterprise releases available.

With the EOSD for Splunk version 8 looming, customers using Splunk V8 should plan to upgrade to a supported version.

So let’s take a closer look at Splunk Enterprise V9.0 with regards to the considerations we mentioned above, so you can plan for a smooth, seamless upgrade.

What to know before upgrading to Splunk 9.0

Splunk 9.0: Known issues

Software issues are inevitable, whomever the vendor. What’s important is that these issues are constantly being discovered, flagged, and most importantly resolved throughout the software lifecycle.

These are referred to as known issues and may include workarounds for mitigating their impact on functionality. Fixed issues, on the other hand, are those that have now been resolved through software updates or patches.

Splunk continuously publishes a list of known and fixed issues for every release. It’s important to note that not all known or fixed issues may be relevant to your specific Splunk instance. That’s why, it’s advisable to analyse release notes thoroughly to determine the relevance of any known or fixed issues to your environment before upgrading.

Splunk 9.0: Security vulnerabilities

Splunk Enterprise Version 8 was found to have several security vulnerabilities, including remote code execution and cross-site scripting (XSS) vulnerabilities.

Remote code execution vulnerabilities allow an attacker to run malicious code on a remote system, while XSS vulnerabilities enable attackers to inject and execute malicious scripts within web pages viewed by users.

For instance, Splunk Enterprise deployment servers in Versions 8.X are susceptible to the vulnerability CVE-2022-32158: an attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server.

Another vulnerability affecting Splunk Enterprise V8 is CVE-2022-32153. Exploiting this vulnerability, a malicious actor could perform a machine-in-the-middle attack due to communication between Splunk nodes and trusted hosts lacking TLS certificate hostname validation.

The full list of vulnerabilities for Version 8.X can be found here.

Splunk 9.0: Compatibility

Before upgrading to a new version of Splunk, you should do due diligence to ensure that your system and hardware meet the necessary requirements. You should also review your current architecture design against the new version’s capacity requirements, and check the compatibility of your Splunk apps and forwarders with the new version.

Splunk documentation contains all the necessary information for these tasks, including the system requirements, capacity recommendations, and compatibility matrix.

Here are a few useful links to help you complete these checks:

• Splunk Version 9 system requirements
• Splunk Version 9 performance recommendations
• Splunk Version 9 compatibility matrix

Splunk 9.0: Impact on existing configurations

To size up the potential impact of a Splunk upgrade on your existing configurations, start by reviewing the Splunk upgrade documentation to identify any changes that will be needed during the upgrade process.

Next, take an inventory of your current Splunk apps and any technologies in use, including any deprecated stanzas in the configuration files, unsupported Python versions, and the type of KV store engine in the target version of Splunk. (Splunk Version 9 exclusively supports Python V3, and utilises the “wiredTiger” KV store engine rather than the “mmap” engine used in Splunk V8.)

Ideally, you should set up a test environment that closely mirrors the production environment and test the upgrade procedures on these servers to ensure a smooth transition.

To sum up, upgrading to the latest version of Splunk Enterprise from V8.X gives you access to improved performance, enhanced security, new features, bug fixes, stability improvements, and continued support

Ready to update your instance? RiverSafe’s can help. Our services include a comprehensive system health check to identify any potential problems, and a review of your current Splunk deployment to ensure compatibility with the new version.

Trust us to manage your upgrade with minimal downtime and a smooth transition.

Contact us to upgrade to Splunk V9 today