Deployment Architecture
Highlighted

Splunk server Patching

Communicator

Hi , My infra team is doing the Vulnerability patching on linux servers as we have 6 indexers clustered , we are doing patching on 3 indexers and 3 search heads clustered. is their anything that i need to do except validating the servers after patching ? as they are doing on 3 indexers i am thinking to enable maintenance mode ?

0 Karma
Highlighted

Re: Splunk server Patching

SplunkTrust
SplunkTrust

Yes, use maintenance mode. And run splunk offline on each indexer before it is patched.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Highlighted

Re: Splunk server Patching

Communicator

is it any problem if i use ./splunk stop command and after patching i will start the service , If i use splunk offline command what it will do and once patching finished how can i start splunk is by using ./splunk start ?

0 Karma
Highlighted

Re: Splunk server Patching

SplunkTrust
SplunkTrust

splunk offline is better. See https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Takeapeeroffline.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Splunk server Patching

Communicator

Awesome thanks

0 Karma