Upgrade considerations from Anomaly Detective 4.0

Recommendations below are intended for customers upgrading from Anomaly Detective 4.0. Please contact support@prelert.com for assistance during this process if you have v4.0 deployed on a search head cluster.

Anomaly Detective 4.2 contains significant changes to data in the mathematical models. As such, it is not possible to migrate model state from v4.0 to v4.2.

Anomaly Search configurations can be migrated across.

We recommend installing v4.2 on a separate search head and running the two systems in parallel. If this is not possible, then steps to upgrade are listed below.


  1. Upgrade the Anomaly Detective app to version 4.2 using the procedure documented here except leave the v4.2 app disabled after install
  2. Shut down Splunk on the search head where configs are to be migrated (this can be done instead of the restart that is usually required when installing Anomaly Detective)
  3. If you are running a search head cluster, merge the Prelert anomaly search configurations from all search heads in the cluster into a single prelertrealtime.conf and a single inputs.conf and put these merged files together with all prelertfields_*.conf files from all search heads in the cluster into the $SPLUNK_HOME/etc/apps/prelert/local directory on the search head where configs are to be migrated - this step is error-prone and you are strongly advised to contact support@prelert.com for assistance
  4. While Splunk is not running, run the prelertmigratev4tov4.1.py script to migrate v4.0 Anomaly Searches to v4.1 Anomaly Searches (see below)
  5. Read through the messages printed to the console by the migration scripts - any errors are likely to relate to inadequate file system permissions for the operating system user running the migration script
  6. Restart Splunk on the search head where configs were migrated
  7. If you are running a search head cluster, manually copy the post-migration contents of the $SPLUNK_HOME/etc/apps/prelert/local directory from the search head you upgraded to each of the other search heads in the cluster
  8. Re-enable the Anomaly Detective app - in a search head cluster this must be done by pushing an updated app.conf file from the deployer; on other types of Splunk instances it can be done from Splunkweb

The configuration migration script is a Python program that must be run in the Python that is shipped with Splunk. On Windows, run it from a command prompt (cmd.exe) as follows:

> cd "C:\Program Files\Splunk\etc\apps\prelert\bin"
> ..\..\..\..\bin\splunk.exe cmd python prelertmigratev4tov4.1.py

On other platforms, run the migration script from a shell prompt as follows:

> cd $SPLUNK_HOME/etc/apps/prelert/bin
> ../../../../bin/splunk cmd python prelertmigratev4tov4.1.py

See also

This page


You are here