Deployment Architecture

Are there any best practices for Upgrading Splunk server to RHEL 7.5?


We are planning to upgrade the VM server to RHEL 7.5 with splunk distributed deployment installed in them.
Do we have any documentation or best practices regarding steps? thanks!

0 Karma


Doing this as a comment, not answer, because this is not really canonical.

Splunk is only very loosely coupled to the OS and upgrades of the OS are not particularly important to Splunk. If there's no clustering in your environment, then you can do whatever, IMO, with the caveat that you probably really want all the OSes to be of nearly the same version. (If for no other reason than management should be easier).

With indexer clusters (and perhaps search head clustering) you'll want those boxes - the CM and indexers, or whatever is involved with SHC, to be upgraded all at once or at least within a relatively short time. Of course, to upgrade an indexer cluster, maintenance mode and all that needs to be done just because the expected downtime will likely be long enough you don't want panic bucket fixings...

Otherwise, it really shouldn't be a big deal.


Hey teddyidc1101,

Follow steps below:
Kindly test on dev environment first to check all config and indexed data is available after upgrade of VM.
Take backup of all instances.
You need to upgrade tiers in specific order and within each tier each node should be upgraded at same time:
Follow the order below for upgrades:
1. Master- stop splunk on the master, upgrade the VM and start splunk again.
Check all the cluster status in the Monitoring Console.Check if any errors in internal logs.
2. Search Head -
a.stop splunk on 1 search head, upgrade VM and start splunk again.
Now make that search head as captain and then repeat step a for all other search heads
3. Indexers-
Enable maintenance node on master.
Stop all the indexers.
Upgrade VM's
Start indexers and disable maintenance-mode.

Let me know if this helps!!

0 Karma


Thanks for this...will make it as guide for implementation.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...