Good day! I have a RF=3 and SF=3. I also have a forwarder which is doing the load balance forwarding of logs in 3 indexers. I'm going to update the ip of 3 indexers, if I do it 1 by 1 is it better if I stop the forwarder splunk then stop splunk indexer then change ip?
I will suggest add one more interface on the server with new IP. Change all forwarders configuration to send data on new IP. After that remove old IP interface from server. But you need to reboot the server when you add or remove new interface.
This is a bit more of a networking question than necessarily a Splunk administration question.
Are you using straight up IPs in your output.conf? I would suggest using hostnames and editing your A records and including @harsmarvania57's input as well on the server side. Or instead use a VIP or A record pointing to multiple IPs of your indexers. His advice probably reduces the most friction possible. My advice adds to further his.
Let us know your decision/progress!
You're best approach would be as follows:
1) Add the new addresses to the outputs.conf on your HF layer. If the HF cannot connect to an IP, it will roll to the next one without data being lost.
2) Change your indexer's IP Addresses one at a time, bring up the IP and make sure your Splunk input is listening.
3) Repeat for all the indexers
4) Validate that the HF is connecting to all ( $splunk_home$/bin/splunk list forward-server)
5) Remove the old IP's from the outputs.conf on the HF.
Thanks for all your response. My only concern here is if the forwarder cannot see one of my 3 indexers does it forward the logs to the available indexer?