I was reading through the upgrade documentation and came across a statement mentioning that I have to stop all peers and search head to perform the upgrade. My concern is that I will have to stop indexing data during upgrade. I am also planning on increasing the size of the DAS strorage within the same change window and the indexers are running out of disk space. Can I perform the indexer cluster upgrade one by one instead of doing it all at once?
Following the documentation is usually the safest bet. That being said, you'll probably be fine with a rolling upgrade. Just make sure you backup $SPLUNKHOME/etc before starting, and upgrade the Cluster Master first. Then upgrade a peer and wait to ensure that the cluster regains sanity. Seeing the first one play well will give you confidence to proceed with the rest of them.