Solved: Upgrade Splunk to newer version

amitm05 · ‎04-30-2018

I have a Splunk Enterprise Clustered environment and I've TBs of data coming in per day.
Now, while going for an upgrade of my splunk on Indexers and Search Heads - I want to talk about and clear my doubt about my indexed data backup (especially the hot and warm buckets).

What would the best practice. Whether to stop all the indexers and upgrade them and then start them ? Although I feel this will pose a downtime and will increase to the choking of forwarders when the indexers come back online.
OR
I should go for one by one upgrade of the indexers. In this approach after the I start upgrading the indexers and while its in progress, the old versioned and new versioned Indexers will have to work in sync. Does that cause any problem ?
After upgrading the indexer and restart- Do the hot bucket resumes seamlessly ?

Please do not just provide http://docs.splunk.com/Documentation/Splunk/6.4.0/Indexer/Backupindexeddata

Thanks !

FrankVl · ‎04-30-2018

Instead of looking at the backup documentation, I would suggest to take a look at the upgrade documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Installation/UpgradeyourdistributedSplunkEnterpri...

(Make sure to select the relevant Splunk version, I linked to the latest version documentation)

I think in general a one by one upgrade would make more sense, as taking the entire indexer cluster offline is bound to lead to data loss (unless your type of data sources and forwarder architecture has sufficient caching capability in it to manage such an extended downtime of all indexers).

View solution in original post

FrankVl · ‎04-30-2018

Instead of looking at the backup documentation, I would suggest to take a look at the upgrade documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Installation/UpgradeyourdistributedSplunkEnterpri...

(Make sure to select the relevant Splunk version, I linked to the latest version documentation)

I think in general a one by one upgrade would make more sense, as taking the entire indexer cluster offline is bound to lead to data loss (unless your type of data sources and forwarder architecture has sufficient caching capability in it to manage such an extended downtime of all indexers).

xpac · ‎04-30-2018

From what I've seen, starting from 7.1.0. rolling upgrades are supported 🙂

amitm05 · ‎05-01-2018

What are rolling upgrades, how do they work ?

FrankVl · ‎05-01-2018

See: http://docs.splunk.com/Documentation/Splunk/7.1.0/DistSearch/SHCrollingupgrade and http://docs.splunk.com/Documentation/Splunk/7.1.0/Indexer/Searchablerollingupgrade

But as mentioned: that feature is new in 7.1.0, so only becomes useful when upgrading from 7.1.0 to a future version.

FrankVl · ‎04-30-2018

Yeah, that sounds really nice. You'd have to get to 7.1.0 first though, so I guess not too relevant for the @amitm05

xpac · ‎04-30-2018

Yep, just thought that would be a good reason to consider which version of Splunk to update to. 😉

Upgrade Splunk to newer version

upgrade

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...