Can we upgrade the Indexer Cluster and Cluster Master with no downtime?
As per our security regulatory requirements we cannot have downtime for Splunk upgrade.
We will be upgrading from 6.5.3to 7.1.6
If yes, can you share the procedure.
You have two ways of doing it, either by bringing everything down :
Or by splitting the tiers and upgrading servers separately :
The second approach will give you the lowest down time BUT your indexers will have to be down during the upgrade. It is however possible to do a rolling upgrade as shown here if you are running splunk version 7.1 or later :
Let me know if that helps.
It depends on your definition of downtime. The cluster master cannot be upgraded without being restarted. During the restart it is "down", but the indexer cluster will continue to function.
The cluster itself can also be upgraded one indexer at a time, but each indexer must be down for a short time. If your replication and search factors are at least 2 then the cluster will continue to index data and process searches.
The procedure for upgrading a cluster is documented at https://docs.splunk.com/Documentation/Splunk/7.3.0/Indexer/Upgradeacluster.