Splunk 5.x: EOL & what does that mean for you?
At .conf 2017 Splunk announced version 7.0 as a major step up for search performance plus many new features, but they also announced the end of life (EOL) of the 5.x versions of Splunk, effective as of 30 November 2017.
So what does that mean if you are currently using Splunk version 5.x in your business?
Upgrading to the most recent version of Splunk is advisable, as not only will there be no further security patches or support for Splunk 5.x, but later versions offer many new and vastly improved features. To explain how upgrading Splunk will benefit your business we will break the details down into three key areas of focus.
In our previous blog we gave a high level overview of some of the amazing new features available in Splunk 7. This is a great starting point to catch up on if you haven’t read it already.
Jumping from 5.x up to 6.x / 7.x is going to add a lot of additional features beyond those mentioned in the previous post, such as:
- Architectural improvements with indexer clustering & search head clustering offering additional data replication & resilience to your deployments.
- Major new Splunk user interface (UI) changing how you see and access your Splunk reports and Dashboards.
- Visualisations now run on HTML Canvas instead of flash, offering major browser performance improvements.
- Simple XML overhaul allowing for easy creation of new dashboards without needing to get dirty with XML code.
- Trellis visualisations allow for easier creation of new dashboard visualisations
- No more Splunk on Splunk (S.o.S), plus save licensing costs on monitoring your Splunk environment by using the built in monitoring console, giving you much better insight and visibility into the health of your Splunk environment.
As well as the plethora of new features, there are key reasons to consider an upgrade related to the operational support of your environment:
- The support & maintenance part of your license will require you to be on a supported version of Splunk (ie. 6.x or 7.x), meaning if you have any issues on 5.x or older versions then won't have access to help from the support teams or the Splunk community.
- Environment scaling can now be achieved through a horizontal scaling model, using both of the clustering options introduced in the 6.x releases, and improved upon in 7.0.
- Massive performance improvements to search and indexing.
As always there are other considerations to keep in mind, particularly hardware requirements and OS support and patching.
One of the biggest benefits of an upgrade to Splunk 7 is gaining a wealth of security improvements for your data. For example major security vulnerabilities such as Heartbleed, POODLE, GHOST and more were patched during 6.x.
Further details on the common vulnerabilities and exposures (CVE) and other specifics of these vulnerabilities patched throughout the development of 6.x are available at the Splunk security portal: https://www.splunk.com/page/securityportal
So how can you upgrade?
First and foremost with a major version jump it is advisable to take appropriate backups of your configuration, ensuring your data is kept intact.
In a distributed environment you should always upgrade the indexing layer prior to the search head instances. Forwarders can also stay on an older version but it would be highly advisable to look at a forwarder upgrade strategy for your environment so they match the same major version.
The upgrade from 5.x to 7.0 takes a transitional step to any version of 6.0 - 6.3 before the jump to 7.0. This adds additional complexity and checks at the interim 6.x phase of the upgrade to ensure your environment is still operating as efficiently as expected.
Some configurations you might have in use may also have been deprecated, so it is advisable to attempt the upgrade on a test environment first, to be prepared for any potential configuration changes required. Further details on specifics deprecated in 7.0 are detailed here: http://docs.splunk.com/Documentation/Splunk/7.0.0/Installation/AboutupgradingREADTHISFIRST
However we would strongly recommend that you enlist the help of consultants from a Splunk Partner (such as NCC Group) or Splunk Professional Services directly.
How NCC Group can help
NCC Group is a long-standing Splunk Partner in UK and EMEA. We have highly capable, experienced and qualified professional services consultants that specialise in Splunk, from data-ingest, through data-science, to visualisation and integration, ready to assist you in getting the most intelligence and information possible out of your data. We have delivered stand-alone and integrated transformational security intelligence, operational intelligence, and business intelligence services for hundreds of Splunk customers, working with everyone from small start-ups to global enterprises, at data volumes from less than one GB per day to multiple TB per day.
If your organisation is already using Splunk then a good starting point is our health-check service, where we will check the state and maturity of your current deployment. We then highlight what improvements could be made, how things could run more efficiently, and share business value generation opportunities that can be achieved by upgrading, putting more data in, or handling data currently in Splunk differently, to maximise return on your existing Splunk investment.
If your organisation is not currently using Splunk, then get in touch via firstname.lastname@example.org to talk to us about a demonstration and a discussion of the potential value it could bring to you and your business.
Published date:  29 September 2017
Written by:  Jamie McCallion and Paul McDonough