Installation

How to upgrade multi-site indexer cluster WITH search head cluster, Splunk Enterprise 7.2 -> 7.3

aaronbarry73
Path Finder

Upgrading from 7.2.5 to 7.3.3 to mitigate the Datetime.xml problem before the new year.
I have a multi-site indexer cluster, five peers in site1, five peers in site2.
I have a search head cluster, 6 members in site1 and 4 members in site2.

If I can use the site-by-site upgrade option, then I can keep ingesting data and maintain integrity, I never have to bring down all indexers at once. However, this option doesn't seem to account for a search head cluster, where there is also a deployer to worry about.
It seems the other option is to upgrade in tiers. This option accounts for the deployer and I can do a rolling restart of the search head members, but the indexers must be brought down all at once.
Am I missing something in the docs? Or is it acceptable to somehow combine the two by nesting the site-by-site indexer upgrade within the tiered upgrade? Like this:
1. Upgrade the Cluster Master
2. Perform a rolling upgrade of the search head cluster

a. Upgrade a non-captain member
b. Upgrade the other members
c. Upgrade the deployer
d. Finalize the rolling upgrade
3. Upgrade site1 indexers
4. Upgrade site2 indexers
Thanks for any help!

Labels (3)
0 Karma
1 Solution

aaronbarry73
Path Finder

I think I found it. There is a link I missed in the docs for "Perform a rolling upgrade of an indexer cluster".
This document, combined with the links in the OP will work for me I think.

  1. Run Preliminary health checks
  2. Upgrade the cluster master
  3. Perform a rolling upgrade of a search head cluster
  4. Perform a rolling upgrade of an indexer cluster

I might be able to get away with bringing down the indexers one site at a time, but not sure. Instead i'll probably go one-by-one before finalizing.

View solution in original post

0 Karma

aaronbarry73
Path Finder

I think I found it. There is a link I missed in the docs for "Perform a rolling upgrade of an indexer cluster".
This document, combined with the links in the OP will work for me I think.

  1. Run Preliminary health checks
  2. Upgrade the cluster master
  3. Perform a rolling upgrade of a search head cluster
  4. Perform a rolling upgrade of an indexer cluster

I might be able to get away with bringing down the indexers one site at a time, but not sure. Instead i'll probably go one-by-one before finalizing.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I would use the approach you suggest.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...