Different Splunk Version in Indexer Cluster

barriersbill · ‎08-22-2019

Hey everyone,

I am running an indexer cluster, single site, version 6.x and want to upgrade to 7.x. I saw here that the only way to do it is to bring down the whole cluster, upgrade, then bring it up.
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Upgradeacluster#Upgrade_a_6.x_or_7.x_ind...

I want to avoid this situation and upgrade the cluster indexer by indexer -- no rolling upgrade in current version. By first enabling maintenance mode -> put offline peer offline -> upgrade and move on to the other.

Problem is that the doc says that cluster shouldn't have peers with different versions :
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#Compatibility_between...

All peer nodes must run the same version of Splunk Enterprise, down to the maintenance level. You must update all peer nodes to a new release at the same time. You cannot, for example, run an indexer cluster with some peer nodes at 6.n.2 and others at 6.n.1.

Would this work anyway ? Is it possible to run indexers with different versions within the indexer cluster. AND what would happen if this is applied, would there be errors mentioning different versions or will things keep running ?

Thx

chandanghoshCTL · ‎09-06-2019

in clustering setup can we have mix between old and new version?
We are planning to upgrade from 7.0.1 to 7.3.1 but we have search and index cluster .
Can we just upgrade just index master ? how about search head cluster?

sloshburch · ‎09-25-2019

This sounds more like another question than an answer. It also sounds like a question that was answered by the original question because of the links provided.
Best practice is to follow the documentation for how to perform an upgrade. It will explain how to upgrade each component.
I hope that helps.

MuS · ‎08-22-2019

Hi barriersbill,

This is not an answer nor the requested input on this topic, more an advice 😉

If the docs do mentioned something like this so detailed, telling you should not do it, and all nodes must be the same version - then there is a reason for this!
I'm pretty sure you cloud just try it, you might maybe succeed, or most likely just fail with it and just imagine what will happen if you raise a support case with Splunk on this?

Me: I upgraded my index cluster to different versions, please help
Splunk: Bold move, but we told you not to do this

Hope this helps ...

cheers, MuS

richgalloway · ‎08-22-2019

Depending on the value of x in 6.x, this could be a major upgrade. I suggest you stick to the instructions in the docs and suffer the outage to avoid causing yourself pain. Once you've done this upgrade, future upgrades will be rolling ones.

---
If this reply helps you, Karma would be appreciated.

woodcock · ‎09-02-2019

There is a big difference between should, must and can. I have tried this in the lab (mixing versions in a cluster) and it worked fine. I would say that you have little to lose by trying it (other than extended downtime if you run into something). It is highly likely to work if you have adjacent versions (6.* and 7.*) but the downside is that you will not get much, if any, support from Splunk if you end up in a bind.

barriersbill · ‎08-22-2019

Thanks for the quick answer! could you please elaborate a bit on what would happen if I do the upgrade one by one ?
I can't afford data loss so I must try to find a "rolling" upgrade way of doing this.

What do you think about this :
https://www.function1.com/2018/04/lessons-learned-upgrading-a-splunk-instance-with-no-downtime

richgalloway · ‎09-06-2019

That's a good write-up.
It's difficult to say what could happen. It could go well or Bad Things could happen. The docs are there to help you avoid Bad Things (other than inconvenience).

---
If this reply helps you, Karma would be appreciated.

sloshburch · ‎09-25-2019

Also, that's written by a partner. If something goes wrong you'll want to be able to get support. Support will only be provided for material in the official Splunk documentation, not from partners.

barriersbill · ‎08-22-2019

@woodcock @somesoni2 @MuS @martin_mueller @niketnilay @richgalloway :
Could you please give me your input on this ?

ppablo · ‎08-23-2019

Hi @barriersbill

I'm glad you're turning to the Answers community for help with your question, and that you believe in the skill and knowledge of our top SplunkTrust members! Do keep in mind though that it's not the best etiquette to @ mention a handful of users to answer you when your question has only been live for 5 minutes on the forum. Be aware that @ mentioning a user kicks off an email to their inboxes, so this can be seen as spamming experts for help when the overall community wasn't given a chance to try addressing your issue first. The community here is fairly active, so I'm sure someone with the right expertise would have come along to help you out. Even just adding the appropriate tags to your question goes a long way since there are experts following those topics, so they get notified already.

Everyone here is volunteering time out of their busy schedules to help users when they have the time and space to dedicate to the community, so it's best to be mindful of that. @ mentioning is best used when a problem is already trying to be worked out through some back and forth engagement between users. If you're hitting a roadblock, that's the time where @ mentioning a specific user you know is an expert in that area would be best received.

Thanks for your participation in the Splunk community and I hope this helps!

Patrick
Sr. Community Manager

Different Splunk Version in Indexer Cluster

indexer

upgrade

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM