Solved: Splunk server Patching

Prakash493 · ‎12-06-2019

Hi , My infra team is doing the Vulnerability patching on linux servers as we have 6 indexers clustered , we are doing patching on 3 indexers and 3 search heads clustered. is their anything that i need to do except validating the servers after patching ? as they are doing on 3 indexers i am thinking to enable maintenance mode ?

richgalloway · ‎12-08-2019

Yes, use maintenance mode. And run splunk offline on each indexer before it is patched.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-08-2019

Yes, use maintenance mode. And run splunk offline on each indexer before it is patched.

---
If this reply helps you, Karma would be appreciated.

Prakash493 · ‎12-10-2019

is it any problem if i use ./splunk stop command and after patching i will start the service , If i use splunk offline command what it will do and once patching finished how can i start splunk is by using ./splunk start ?

richgalloway · ‎12-10-2019

splunk offline is better. See https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Takeapeeroffline.

---
If this reply helps you, Karma would be appreciated.

Prakash493 · ‎12-10-2019

Awesome thanks

Splunk server Patching

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector