Splunk Enterprise no longer lets you run it as the root user by default

Applicable components: Splunk Enterprise

$SPLUNK_HOME/bin/splunk start --run-as-root

Splunk Enterprise on Windows no longer lets you install it as a local administrator or domain user by default

Applicable components: Splunk Enterprise

You can retain your existing user configuration by supplying the INSTALL_AS_ADMINISTRATOR=1 argument for the msiexec installer utility during an upgrade. It is also possible to use this argument for new installations of Splunk Enterprise but this functionality will be removed in a future release.

To learn more about this significant change, see the following topics:

• Choose the Windows user Splunk Enterprise should run as

• Deprecated and removed in version 10.2

The Splunk platform uses version 3.13 of the Python runtime environment on Splunk Web

Applicable components: Splunk Enterprise

The Node.js JavaScript runtime environment has been removed

Applicable components: Splunk Enterprise

Splunk has removed the Node.js runtime environment, which it deprecated in version 10, from Splunk Enterprise as of version 10.2. This means that apps that require Node.js will no longer run. If you use or make an app that runs Node.js, then the app must include its own build of the Node.js runtime on Splunk 10.2 and higher.

Updates to Fishbucket

Applicable components: Splunk Enterprise

In Splunk Enterprise 10.2, a database back end for the Fishbucket, a repository used to store file-monitoring checkpoints, was replaced with a more reliable back end.

If you are upgrading from earlier Splunk Enterprise versions, you do not need to take any action. No explicit or implicit migration is required. After the upgrade, Splunk Enterprise will continue to read existing file checkpoints from the legacy Fishbucket database. Going forward, it will write new checkpoints to and read new checkpoints from the new repository.

This information is provided because downgrading from Splunk Enterprise 10.2 to an earlier version is not officially supported. Customers who choose to downgrade may lose checkpoints that were created after the upgrade. As a result, file-monitoring state might revert to the checkpoint position that existed prior to the upgrade, which can lead to partial re-ingestion of files and potential event duplication.

Support for version 3.7 of the Python runtime environment has been removed

Applicable components: Splunk Enterprise

Splunk has removed support for version 3.7 of the Python runtime environment. Confirm that any apps and add-ons that use Python can work with version 3.9 of the interpreter before starting an upgrade.

Hadoop Data Roll has been turned off by default

Applicable components: Splunk Enterprise

Splunk has removed support for Hadoop Data Roll. As an alternative, consider archiving aged index data to local or other data storage.

KV Store requires computers that have CPUs with AVX, SSE4.2, and AES-NI

Applicable components: Splunk Enterprise

Beginning with version 9.4 of Splunk Enterprise, any computer that runs the software must have a CPU that has support for the following extensions to the x86 instruction set architecture:

• Advanced Vector Extensions (AVX)
• Streaming SIMD Extensions 4.2 (SSE4.2)
• Advanced Encryption Standard: New Instructions (AES-NI).

Typically, these extensions have support on Intel CPUs that belong to the Sandy Bridge and later microarchitecture families. There is additional support for the AMD Bulldozer 15h GEN3 family of processor chips. In both cases, there is support only for the x86-64 instruction sets.

Computers that do not use CPU processors that support AVX, SSE4.2, and AES-NI are unable to run Splunk Enterprise, and an attempt to upgrade the software on such computers will fail. This is because the latest version of the database engine that KV Store uses does not have support for CPUs that do not have support for AVX, SSE4.2, and AES-NI.

You must upgrade or replace computers that do not meet the standard before you attempt an upgrade. See Upgrade the KV store server version in the Admin Manual to learn about these new requirements for KV Store and plan the upgrade.

READ THIS FIRST: Should you deploy field filters in your organization?

Applicable components: Splunk Enterprise

Field filters is a powerful tool that can help many organizations protect their sensitive fields from prying eyes, but it might not be a good fit for everyone. If your organization runs Splunk Enterprise Security or if your users rely heavily on commands that field filters restricts by default (mpreview and mstats), do not use field filters in production until you have thoroughly planned how you will work around these restricted commands. See READ THIS: Restricted commands do not work in searches on indexes with field filters in the Securing Splunk platform manual.

Splunk Enterprise 9.1 fixes a critical vulnerability in deployment server but might introduce problems for older deployment clients

Applicable components: Splunk Enterprise

Splunk introduced a fix for a vulnerability in deployment server in version 9.0 of Splunk Enterprise, and this fix is also available in version 9.1. If you run a deployment server, upgrade that server to version 9.1 of Splunk Enterprise as soon as possible. Before the upgrade, carefully review your deployment server setup and the current versions of the deployment clients in your Splunk Enterprise network. Depending on the setup of your deployment server and whether that component shares a computer with other Splunk Enterprise components, you might need to do the following to ensure your deployment server and clients communicate without problems:

• Isolate deployment server from other components on a machine. Isolating your deployment server means you only have to upgrade that component. The sole exception for isolation is if you run a deployment server and a license manager on the same machine.
• Confirm that all deployment clients in your network run version 7.0.0 or higher of Splunk Enterprise or the universal forwarder. You don't have to upgrade deployment clients to version 9.0.0, but they must be at version 7.0.0 or higher to communicate with version 9.0.0 deployment servers.

See the following topics for additional information:

• SVD-2022-0608 for more about the vulnerability
• Client version compatibility in the Updating Splunk Enterprise Instances Manual for more about which versions of deployment client that the version 9.0.0 deployment server supports

Follow specific instructions to upgrade clusters

Applicable components: Splunk Enterprise

To upgrade indexer or search head clusters, follow the upgrade procedure for the type of deployment you have.

• If your deployment has indexer clusters, follow the index cluster upgrade instructions.
• If your deployment has search head clusters, follow the search head cluster upgrade instructions.

Back up App Key Value Store prior to starting an upgrade

Applicable components: Splunk Enterprise

Back up the app key value store (KV store) before any maintenance like an upgrade.

Confirm that you have accounted for this downtime in your upgrade planning. See Back up and restore KV store for more information.

The indexer cluster slave-apps directory is renamed to peer-apps

Applicable components: Splunk Enterprise

During upgrade of a Splunk Enterprise indexer cluster, the installer renames the slave-apps directory on an indexer cluster node to peer-apps. To accommodate this renaming, you must manually change any external hard-coded references to slave-apps, such as in external scripts, TLS certificates, and so on, to peer-apps. See Update common peer configurations and apps in Managing Indexers and Clusters of Indexers.

The setting master_uri is renamed to manager_uri

Applicable components: Splunk Enterprise

In the [License] stanza of the server.conf configuration file, the master_uri setting has been renamed to manager_uri. The old setting name is deprecated but still usable in 9.2. During an upgrade to 9.x, if you have a mixed deployment of 9.x and 8.x instances, do not change master_uri to manager_uri in the 8.x instances. Version 8.x instances do not recognize the manager_uri setting name.

The Splunk platform now warns you when there is no configuration for allowed internet domains for alert actions that send emails

Applicable components: Splunk Enterprise

To improve security posture for Splunk Enterprise environments, Splunk implemented a change to how it processes the sending of emails as a result of an alert action. The allowedDomainList setting in the alert-actions.conf configuration file controls which internet domains to which the instance can send alert action emails. If the setting doesn't have a value, then the instance can send email to any domain as part of an alert action. This is a potential security risk.

If you have not configured an allowed email domain list with the allowedDomainList setting, then the Splunk Enterprise instance advises you of that exposure with the following message:

Security risk warning: Found an empty value for 'allowedDomainList' in the alert_actions.conf configuration file. If you do not configure this setting, then users can send email alerts with search results to any domain. You can add values for 'allowedDomainList' either in the alert_actions.conf file or in Server Settings > Email Settings > Email Domains in Splunk Web

This message appears by design on any type of search head. It is a security posture that you, as a customer, are responsible for maintaining to reduce the potential of spam messaging and data exfiltration. To configure a list of valid internet domains to which your search heads can send email, see Configure email notification for your Splunk instance in the Alerting Manual.

If the message appears on an indexer, you can safely dismiss the warning without further action. Consider configuring an internet domain that does not send email and using that domain for this configuration to suppress further warnings.

Changes to deployment server architecture

Applicable components: Splunk Enterprise and Splunk Universal Forwarder

See Upgrade pre-9.2 deployment servers in Updating Splunk Enterprise Instances for important details related to these changes.

Significant aspects of the deployment server have been redesigned in Splunk Enterprise version 9.2 to improve performance and manageability. Because of these architectural improvements, deployment server upgrades that span the version 9.2 release automatically undergo changes to implement these improvements.

Splunk has deprecated the SSL v3 and TLS 1.0 and 1.1 network encryption protocols

Applicable components: Splunk Enterprise and Universal Forwarder

Splunk has deprecated the use of version 3.0 of the Secure Sockets Layer (SSL) and versions 1.0 and 1.1 of the transport layer security (TLS) network encryption protocols for version 9.4 of Splunk Enterprise. While these protocols remain supported for the encryption of network traffic between Splunk services such as the Splunk daemon, deployment servers and clients, App Key Value Store (KV store), and forwarders and receivers, version 9.4 of Splunk Enterprise will warn you about these deprecated protocols if you use them after you upgrade.

The Internet Engineering Task Force (IETF) deprecated version 3.0 of the SSL protocol in 2015, and the TLS 1.0 and 1.1 protocols in 2021. Splunk will eventually remove these protocols as options to encrypt Splunk network traffic. When possible, configure communication between Splunk clients and services using TLS version 1.2. This might require that you obtain new certificates for use in your Splunk Enterprise deployment.

New file names for Splunk Enterprise and Universal Forwarder software packages

Applicable components: Splunk Enterprise and Universal Forwarder

The file names of the Splunk Enterprise and Universal Forwarder software packages have changed to make them consistent and comply with platform specific conventions. The software download pages on splunk.com show the new file names.

Older jQuery libraries are restricted

Applicable components: Splunk Enterprise

The usage of older jQuery libraries and the Internal Library Settings page are removed. Deprecated libraries and unsupported hotlinked imports are restricted, and Splunk Enterprise no longer offers a self-service option to use them. For more information about Internal Library Settings, see Control access to jQuery and other internal libraries in the jQuery Upgrade Readiness manual.

The IOWait status check is delayed on startup

Applicable components: Splunk Enterprise

The IOWait Health Report incorporates a 120 second delay after the Splunk Enterprise service starts to prevent false alerts.

Macros now replicate by default to search peers

Applicable components: Splunk Enterprise

Macros used in apps are now replicated by default to search peers as part of the knowledge bundle in Splunk deployments. As a result of this change, searches that previously failed now run successfully, which could affect downstream performance.

If you don't want to replicate macros for your apps, you can suppress replication by setting replicate.macros = false in the [replicationSettings:refineConf] stanza in the distsearch.conf file. Be aware that disabling distribution of macros might negatively impact your search results.