Deployment Architecture
Highlighted

How to update an indexer cluster?

Explorer

Hi everyone,
I have to update (6.1.8 -> 6.4.3) a Splunk deployment build of 1 Master, 2 Search Heads (non-pooled), 2 indexer (cluster) and a few forwarder. I've check the manuals, but I'm still unsure what the correct process is. Especially the indexer cluster.
Must I take both indexer and master down until all three are updated?

Regards,
Bernhard

0 Karma
Highlighted

Re: How to update an indexer cluster?

Legend

I have updated indexer clusters from 6.3 to 6.4 using the following procedure

  1. Take the cluster master offline and update it. Restart.
  2. Put the cluster in maintenance mode.
  3. Update each indexer and then restart it. As an indexer restarts, it should rejoin the cluster.
  4. After all indexers are updated, turn off maintenance mode.
  5. Wait until the indexer cluster stabilizes - it should quickly catch up on its replication.
  6. Update and restart the search heads one at a time.
  7. The forwarders do not need to be updated, but if you want to update them, you can do it at any time.

From 6.1.8 to 6.4.3 is a larger "jump." I would be less confident with that. But you could take down all the Splunk indexers and the cluster master in step 1 (ie, stop Splunk on all of them). Then update the master and put it in maintenance mode. Continue with step 3. That is a more conservative approach. The cluster will be offline slightly longer.

Do use maintenance mode.

View solution in original post

Highlighted

Re: How to update an indexer cluster?

Builder

This is great information. I am looking to upgrade from 6.4 to 6.5 soon for our environment, and your post added some confidence to my planning 🙂

0 Karma
Highlighted

Re: How to update an indexer cluster?

Splunk Employee
Splunk Employee

Are you following the procedure in Upgrade an indexer cluster, in the Managing Indexers and Clusters of Indexers manual? The steps are pretty clear. You have to stop the master and all the peers and search heads, yes. And lguinn is right (as always), you want to use maintenance mode. You also want to use splunk stop to bring the peers offline, not splunk offline. See the docs!

Highlighted

Re: How to update an indexer cluster?

Splunk Employee
Splunk Employee

Hi @scheckenbachb - Did the answers provided by lguinn or ChrisG help at all? If so, please don't forget to resolve this post by clicking "Accept" below the best answer and up vote any comments you found helpful. If not, please provide some more feedback by leaving a comment. Thank you!

0 Karma