Installation

How to upgrade multi-site indexer cluster WITH search head cluster, Splunk Enterprise 7.2 -> 7.3

aaronbarry73
Path Finder

Upgrading from 7.2.5 to 7.3.3 to mitigate the Datetime.xml problem before the new year.
I have a multi-site indexer cluster, five peers in site1, five peers in site2.
I have a search head cluster, 6 members in site1 and 4 members in site2.

If I can use the site-by-site upgrade option, then I can keep ingesting data and maintain integrity, I never have to bring down all indexers at once. However, this option doesn't seem to account for a search head cluster, where there is also a deployer to worry about.
It seems the other option is to upgrade in tiers. This option accounts for the deployer and I can do a rolling restart of the search head members, but the indexers must be brought down all at once.
Am I missing something in the docs? Or is it acceptable to somehow combine the two by nesting the site-by-site indexer upgrade within the tiered upgrade? Like this:
1. Upgrade the Cluster Master
2. Perform a rolling upgrade of the search head cluster

a. Upgrade a non-captain member
b. Upgrade the other members
c. Upgrade the deployer
d. Finalize the rolling upgrade
3. Upgrade site1 indexers
4. Upgrade site2 indexers
Thanks for any help!

Labels (3)
0 Karma
1 Solution

aaronbarry73
Path Finder

I think I found it. There is a link I missed in the docs for "Perform a rolling upgrade of an indexer cluster".
This document, combined with the links in the OP will work for me I think.

  1. Run Preliminary health checks
  2. Upgrade the cluster master
  3. Perform a rolling upgrade of a search head cluster
  4. Perform a rolling upgrade of an indexer cluster

I might be able to get away with bringing down the indexers one site at a time, but not sure. Instead i'll probably go one-by-one before finalizing.

View solution in original post

0 Karma

aaronbarry73
Path Finder

I think I found it. There is a link I missed in the docs for "Perform a rolling upgrade of an indexer cluster".
This document, combined with the links in the OP will work for me I think.

  1. Run Preliminary health checks
  2. Upgrade the cluster master
  3. Perform a rolling upgrade of a search head cluster
  4. Perform a rolling upgrade of an indexer cluster

I might be able to get away with bringing down the indexers one site at a time, but not sure. Instead i'll probably go one-by-one before finalizing.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I would use the approach you suggest.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...