Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Server OS Security patching

maheshnc
Path Finder
‎09-24-2025 11:46 PM

Hello,

Our operations team is supposed to perform OS Security patching on indexer cluster, search head, Heavy Forwarders, deployment server and licence master, I want to know, as a Splunk admin what are the prechecks and post-checks need to be performed? for example, do we need to take backup etc.

thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

maheshnc
Path Finder
‎09-25-2025 04:08 AM

Thanks!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎09-25-2025 12:30 AM

@maheshnc 

In addition to the other steps, make sure to back up the /opt/splunk/bin directory on the Heavy Forwarders. If any custom scripts were placed directly in /opt/splunk/bin, it’s essential to include this directory in your pre-patching backup.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

PrewinThomas
Motivator
‎09-25-2025 12:03 AM

@maheshnc 

General best practices are,

Backups & Config Safety first
-Back up $SPLUNK_HOME/etc (configs, apps, knowledge objects).
-Back up critical KV Store collections
-VM snapshots or system‑level backups in case rollback is needed.

For Indexer Cluster:
-Put the cluster into maintenance mode.
-Better patch one peer at a time.

Post Checks
Service Validation
-Confirm Splunk service is running
-Verify web UI(Applicable ones) and CLI access

Cluster Health
-Indexer Cluster - all peers should be Up and In‑Sync.
-SHC - all members should be Up and Ready
-Disable maintenance mode once all peers are patched


Data Flow
-Perform simple searches (index=YOUR_INDEX | head 5) to confirm indexing is happening.
-Check forwarders are still connected (Settings → Forwarder Management)

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

maheshnc
Path Finder
‎09-25-2025 04:08 AM

Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...