Introducing Splunk Enterprise 9.2

Here are a few questions asked during the live Tech Talk

Q. What else should I be doing to prepare for the Python upgrade?

A.The Splunk Docs page https://docs.splunk.com/Documentation/Splunk/latest/Python3Migration/AboutMigration is the latest and greatest resource for learning more about how to upgrade. We also recently released Splunk Python SDK 2.0.0 with added support for 3.9. That resource is here: https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/

Q. What would you recommend as a cadence of upgrade? We are tight on resources and need to plan in advance.

A. I think it is worth noting that every customer will have different constraints and challenges, so there isn't a single right answer to this question. However, the general guidance here would be to think about a few dimensions:

(1) It's important to stay on a supported Splunk version, and as the presentation highlighted, there is a 2 year support window after each release comes out. It is therefore prudent to be running on a version that gives sufficient support window prior to your next upgrade.

(2) Moving to a new version likely involves some amount of qualification in your environment. How long that qualification may take, along with your organizations operations and critical periods (eg likely you wont want to do upgrades during a peak season (eg Tax Season, or Black Friday / Winter Holidays). Often then, we see customers planning to upgrade to a new major/minor version right after their busy season(s). Our goal has been to make this upgrade as easy as possible by providing the ability to upgrade to a new version without having to sequentially upgrade through all intermediate versions. Do make sure to check the release notes / upgrade guide (for example https://docs.splunk.com/Documentation/Splunk/9.2.1/Installation/HowtoupgradeSplunk) for more details on this as this may vary for specific relases. The major/minor version will include features as well as bug fixes and security fixes. The length of time your organization needs to qualify a release will vary based on your own specific system complexity and organization processes. It is however recomended to upgrade to a new major/minor version at least once per year.

(3) Staying current with regard to security vulnerabilities is likely an important aspect for you to consider. Many enterprises have specific policy around security vulnerabilities and the time in which they need to be mitigated/remediated. With this in mind, our maintenance releases, which come out roughly every 8 weeks provide updates for issues published in our security advisories (see https://advisory.splunk.com/). The maintenance releases do not contain features and are intended to be much easier to upgrade to, given the surface area of changes is much smaller and thus should require less qualification prior to deployment. It is therefore recommended to stay current on the latest maintenance version for your given version.

In summary then, your specific circumstances will likely differ, but it is recomended to upgrade to the latest major.minor version at least once per year, and then to stay current with the maintenance versions for that major/minor release on an ongoing basis.

Q. We are currently on 9.0. Can we upgrade to 9.2 directly, or do we need to upgrade to 9.1 and then 9.2?

A.Yes, that is a supported version. You can always find information on what the supported ugrade paths are in Splunk Documentation. For Splunk Enterprise 9.2, what is located here https://docs.splunk.com/Documentation/Splunk/9.2.0/Installation/HowtoupgradeSplunk

Q. Are you planning to discontinue "classic Dashboard"?

A. As mentioned in the Webinar, the future vision is for Dashboard Studio to become the defacto standard and tool for creating Splunk dashboards. We know many customers are currently on Classic, and are working to get as much feature parity as possible so that customers can migrate.

Q. Will we get to see any more detail about how the certificate store integration works?

A. You can find information about Trust Store integration in our Splunk Documentation here: https://docs.splunk.com/Documentation/Splunk/9.2.0/Security/ConfigTLSCertsS2S

Q. Are there any real changes expected to apps when we go up to 3.9 from 3.7?

A. In our internal testing across the platform and Splunk-supported apps, we have not seen significant breakage or compatibility issues. We expect customers to be able to migrate to Python 3.9 relatively easily, but we do recommend customers testing it before deploying into Production. The version we are targeting after Python 3.9 is expected to be Python 3.12 - which we know will be a major effort. We continue to publish more information on Splunk Docs as it becomes available.

Q. Will Splunk be able to use the Windows Certificate Store and how do we select which certificate will Splunk use?

A. You can find information about Trust Store integration in our Splunk Documentation here: https://docs.splunk.com/Documentation/Splunk/9.2.0/Security/ConfigTLSCertsS2S

Q. Are the Splunk Containers going to be released on the same cadence as the main product? We have seen many more CVEs in the containers than in Splunk.

A. Yes, the docker-splunk team maintains the same cadence as Splunk. The Splunk Operator for Kubernetes, which utilizes Docker-Splunk for deployment in Kubernetes environments, also strives to adhere to this cadence. However, occasionally, it may require more time to align with the desired schedule.

Q. What versions of Splunk can we upgrade directly from to 9.2.1?

A. You can always find information on what the supported ugrade paths are in Splunk Documentation. For Splunk Enterprise 9.2, what is located here https://docs.splunk.com/Documentation/Splunk/9.2.0/Installation/HowtoupgradeSplunk

Q. Aren't the DSs using DFS shares for the apps?

A. For our internal testing, we have tested with NFS and can confirm it works. It should extend and work using DFS as well.

Q. Since it can be put behind a load balancer, does replication occur between Deployment servers?  

A. All of the DSs are mounted with the same network driver folder for phonehome, client events and apps files. Since the folders are pointing to the same network driver files for all DSs, they can be share each other’s info.