I have to update (6.1.8 -> 6.4.3) a Splunk deployment build of 1 Master, 2 Search Heads (non-pooled), 2 indexer (cluster) and a few forwarder. I've check the manuals, but I'm still unsure what the correct process is. Especially the indexer cluster.
Must I take both indexer and master down until all three are updated?
I have updated indexer clusters from 6.3 to 6.4 using the following procedure
From 6.1.8 to 6.4.3 is a larger "jump." I would be less confident with that. But you could take down all the Splunk indexers and the cluster master in step 1 (ie, stop Splunk on all of them). Then update the master and put it in maintenance mode. Continue with step 3. That is a more conservative approach. The cluster will be offline slightly longer.
Do use maintenance mode.
This is great information. I am looking to upgrade from 6.4 to 6.5 soon for our environment, and your post added some confidence to my planning 🙂
Are you following the procedure in Upgrade an indexer cluster, in the Managing Indexers and Clusters of Indexers manual? The steps are pretty clear. You have to stop the master and all the peers and search heads, yes. And lguinn is right (as always), you want to use maintenance mode. You also want to use
splunk stop to bring the peers offline, not
splunk offline. See the docs!
Hi @scheckenbachb - Did the answers provided by lguinn or ChrisG help at all? If so, please don't forget to resolve this post by clicking "Accept" below the best answer and up vote any comments you found helpful. If not, please provide some more feedback by leaving a comment. Thank you!