Re: Backup for indexer?

kalyanilandge · ‎06-22-2016

Hello ,
I need to upgrade the version on splunk indexer from 6.2 to 6.3.1, with the clustered enviornment for that i need to take the backup-
Is this sufficient? or in additin to this what all things required?
$SPLUNK-HOME/var/lib/splunk/default/db/*
$SPLUNK-HOME/etc/

woodcock · ‎06-25-2016

Just backup everything; the software is so small compared to the data that it is insignificant. Besides, if you need to restore, you will be restoring the old software anyway (because there was a problem with the upgrade).

The process should be this:

Block port 9997 and 9998 on the Indexer so that incoming data cannot arrive from forwarders.
Remove the Indexer from all Search Heads as a Search Peer (now ALL searches will be missing a little bit of data so let people know by updating `web.conf` with a warning message).
You have now successfully isolated this 1 Indexer.
Do your backup (copy everything).
Upgrade the software by reinstalling it OVER the original location.
Start splunk.
Answer the questions (you should almost always say `Yes` to every question).
Re-add the Indexer to one Search Head and see that old data is still available in your search results (see `splunk_server` field).
If everything is OK, unblock port 9997 and 9998 on the Indexer and see that new data is available in your search results.
Re-add the Indexer to all Search Heads,
Done.

If you are in a clustered environment, it will be a little different.

Backup for indexer?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases