Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Step by Step to upgrade Splunk?

mc_i02035
Observer
‎03-13-2023 06:57 AM

Hi, we have Dev and Prod linux servers which contains Splunk agents.

The infraestructure on Prod  (V 8.2.2.1) contains:

- Heavy Forwarder

- 3 Indexes 

- Search Head

- DS, LM, MC, SHCD Agent

 

Dev infraestructure (V 8.0.1) contains:

- Search Head

- Index

- Deploy

 

I wanna know how to update correctly.

I mean, which servers we must to update first and how can i make a backup of our apps so we don´t lose something in the process.

 

Thank you very much.

Labels (3)
0 Karma
Reply

splunkmarroko
Engager
Friday

hello,

first and formost, always start with creating a backup:

1- create a backup of $SPLUNK_HOME/etc of every single splunk server you have
2- start with stand alone servers and move on to clusters

3- grab wget command from splunk.com

4- if you choose to use rpm, 
    - stop splunk : /opt/splunk/bin/splunk stop
    - run: rpm -U splunk_package....
5-start splunk: /opt/splunk/bin/splunk start --accept-license
6- check if everything went well:
tail -f /opt/splunk/var/log/splunk/splunkd.log

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-13-2023 08:22 AM

Hi @mc_i02035,

you can follow the order described by @PickleRick or other similar answers that you can find in Community (someone of them by myself as e.g. https://community.splunk.com/t5/Installation/What-is-the-best-approach-for-upgrading-Splunk-Enterpri... !).

Anyway, it's always a best practice to have a copy of the entire Splunk folder so you can restore your initial configuration is something will going wrong, but I usually didn't find any pèroblems in upgrade.

Anyway, as you can read in the above links you can directly migrate from your version to 9.0.x version without passing through an intermediate version.

then I'd migrate before the dev infrastructure and then the prod infrastructure.

only two questions:

  • when you say MC are you meaning Monitoring Console, I suppose, 
  • is it correct?
  • have you Indexer Custer or Search Head Cluster?

Anyway, the path for the dev infrastructure should be:

  • SH,
  • Indexer,
  • DS

The path for the Prod infrastructure depends on the presence of Clusters:

  • without clusters
    • SH
    • IDX,
    • DS, LM, MC, 
    • HF
    • UF
  • with clusters
    • Master Node (Cluster Master)
    • Deployer,
    • SH
    • IDX,
    • DS, LM, MC, 
    • HF
    • UF

You can find interesting documentation at 

https://lantern.splunk.com/Splunk_Platform/Product_Tips/Enterprise/Upgrading_Splunk_Enterprise

https://docs.splunk.com/Documentation/Splunk/9.0.4/Installation/HowtoupgradeSplunk

https://docs.splunk.com/Documentation/Splunk/9.0.4/Indexer/Aboutclusters

Ciao.

Giuseppe

0 Karma
Reply

MatheoCaneva1
New Member
Thursday

Hi @gcusello. How are you? I'm the same person who had uploaded the question two years ago.

How can I check if we have an Indexer Cluster? The same with the Search Head.

About the MC, yes, it is a Monitoring Console.

We have a total of 6 servers.

1 of them include all Distributed Search, License Manager, Monitoring Console and SHCD that I don't know exactly what is.

Then we have 3 indexers servers

1 server is the Heavy Forwarder

The last one is the Search Head.

Regards!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
Thursday

Hi @MatheoCaneva1 ,

if you have 3 Indexers (IDX), 1 Search Head (SH), 1 Heavy Forwarder (HF) and server with many roles: you should check this last one is also the Cluster Manager, in other words, if you have an Indexer Cluster, even if it's strange that you don't know if you have it!

You can check this accessing this server and viewing in [Settings > Indexer Cluster]: in this dashboard, you can see if you have an Indexer Cluster and its status.

About the Search Head Cluster, you surely haven't it because you have only one SH (at least three SHs are required!).

The SHCD is the Search Head Cluster Deployer, a machine delegated to manage Search Head Clusters, but you haven't a Search Head Cluster so you haven't it.

Distributed Search isn't a Splunk role, probably you mean Deployment Server, to manage Forwarders and eventually Search Heads (if you haven't a Cluster).

Summarizing:

if you have an Indexer Cluster, you have to upgrade your servers following this order:

  • Cluster Manager (that's also DS, LM, MC)
  • SH
  • IDX,
  • HF
  • UF

If you haven't an Indexer Cluster:

  • SH
  • IDX,
  • DS, LM, MC, 
  • HF
  • UF

At least I hint to read this document that describes Splunk Architectures, to understand your one: https://docs.splunk.com/Documentation/SVA/current/Architectures/About 

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-13-2023 07:17 AM

If you read the docs, you'll get - after resolving several references - the recommended order.

Also

https://community.splunk.com/t5/Installation/What-s-the-order-of-operations-for-upgrading-Splunk-Ent...

There are some possible deviations from that order, but in general it's a best practice and that's what you should stick to.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Developer Program!

Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...

Splunkbase Year in Review 2024

Reflecting on 2024, it’s clear that innovation and collaboration have defined the journey for Splunk ...

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...
Top