Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk index cluster + search head cluster upgrade 6.4.1 to 6.5. Holding forward data in a queue

bryanwiggins
Path Finder
‎11-21-2016 05:47 AM

Hi

environment (all linux OS based):
3x index cluster peers
1x cluster master
1x deployer/license master
3x search head cluster peers
2x heavy forwarders

Question:
I have been reading the following documentation for upgrading splunk - http://docs.splunk.com/Documentation/Splunk/6.5.0/Indexer/Upgradeacluster - I read from it that it is still not possible to perform rolling upgrades? A shame if that is true, as ELK is still a possible option for us and afaik you can run rolling upgrades on ELK clusters.

If it is the case that we cannot at this point do rolling upgrades on our splunk nodes, is there a preferred approach to how we queue data coming in from the heavy forwarders?

I have been reading the following documentation relating to forwarders 'wait queue' -http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Protectagainstlossofin-flightdata - and my thinking is that I could increase the 'readTimeout' in the 'outputs.conf' to some arbitrary figure to cover the cluster upgrade process (will test in a lab first to get expected time). depending that we have enough disk capacity for the 'wait queue' is my thinking ok?

Also, does anybody know if splunk are planning to allow for rolling upgrades in the near-future, as i'm sure I wouldn't be the only one seeing this as more than desirable 🙂

Thx
Bry

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎11-21-2016 04:58 PM

Rolling upgrades are currently only supported for maintenance releases (e.g. v6.4.3 -> v6.4.4). I don't know what their roadmap is for extending rolling upgrade support, but I would expect they will.

Events will queue on the forwarders automatically in memory when the indexers are unreachable. If you think they will be unreachable for an extended period of time, you may want to enable persistent queues. See: https://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Usepersistentqueues

View solution in original post

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...