Deployment Architecture

How to update an indexer cluster?

scheckenbachb
Explorer

Hi everyone,
I have to update (6.1.8 -> 6.4.3) a Splunk deployment build of 1 Master, 2 Search Heads (non-pooled), 2 indexer (cluster) and a few forwarder. I've check the manuals, but I'm still unsure what the correct process is. Especially the indexer cluster.
Must I take both indexer and master down until all three are updated?

Regards,
Bernhard

0 Karma
1 Solution

lguinn2
Legend

I have updated indexer clusters from 6.3 to 6.4 using the following procedure

  1. Take the cluster master offline and update it. Restart.
  2. Put the cluster in maintenance mode.
  3. Update each indexer and then restart it. As an indexer restarts, it should rejoin the cluster.
  4. After all indexers are updated, turn off maintenance mode.
  5. Wait until the indexer cluster stabilizes - it should quickly catch up on its replication.
  6. Update and restart the search heads one at a time.
  7. The forwarders do not need to be updated, but if you want to update them, you can do it at any time.

From 6.1.8 to 6.4.3 is a larger "jump." I would be less confident with that. But you could take down all the Splunk indexers and the cluster master in step 1 (ie, stop Splunk on all of them). Then update the master and put it in maintenance mode. Continue with step 3. That is a more conservative approach. The cluster will be offline slightly longer.

Do use maintenance mode.

View solution in original post

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @scheckenbachb - Did the answers provided by lguinn or ChrisG help at all? If so, please don't forget to resolve this post by clicking "Accept" below the best answer and up vote any comments you found helpful. If not, please provide some more feedback by leaving a comment. Thank you!

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Are you following the procedure in Upgrade an indexer cluster, in the Managing Indexers and Clusters of Indexers manual? The steps are pretty clear. You have to stop the master and all the peers and search heads, yes. And lguinn is right (as always), you want to use maintenance mode. You also want to use splunk stop to bring the peers offline, not splunk offline. See the docs!

lguinn2
Legend

I have updated indexer clusters from 6.3 to 6.4 using the following procedure

  1. Take the cluster master offline and update it. Restart.
  2. Put the cluster in maintenance mode.
  3. Update each indexer and then restart it. As an indexer restarts, it should rejoin the cluster.
  4. After all indexers are updated, turn off maintenance mode.
  5. Wait until the indexer cluster stabilizes - it should quickly catch up on its replication.
  6. Update and restart the search heads one at a time.
  7. The forwarders do not need to be updated, but if you want to update them, you can do it at any time.

From 6.1.8 to 6.4.3 is a larger "jump." I would be less confident with that. But you could take down all the Splunk indexers and the cluster master in step 1 (ie, stop Splunk on all of them). Then update the master and put it in maintenance mode. Continue with step 3. That is a more conservative approach. The cluster will be offline slightly longer.

Do use maintenance mode.

paimonsoror
Builder

This is great information. I am looking to upgrade from 6.4 to 6.5 soon for our environment, and your post added some confidence to my planning 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...