Yes, you can upgrade without downtime. You will want to put the entire cluster into maintenance mode, then upgrade and restart each indexer in turn. The cluster master will redirect searches to the currently operating indexers. After all upgrades are complete, you can take the cluster out of maintenance mode. At that point, it will catch up on any replication that was missed during the upgrade.
If you have a search factor of 2, you can take down 1 indexer at a time for upgrades, and search will continue to work.
"Caution: When upgrading a 6.x single-site indexer cluster, such as 6.2, to a later 6.x cluster, such as 6.3 or 6.4, you must take down and upgrade all peer nodes as a single operation. You cannot perform a rolling, online upgrade of the peer nodes."
Is this a conflict, or am I missing something obvious?
Lguinn I agree with you but I also think it's worth noting that if there was any legacy data from before the cluster was built on any indexers currently (older data existing on any standalone splunk indexers originally), then that data will not be available to the search heads when that particular indexer is down - unless the old data was copied to be replicated. Probably not something Daniel will have to worry about, but it's good to thoroughly understand that index clustering when a cluster is first set up only replicates new data coming into Splunk.