Installation

How to upgrade the shared search head pooling from Splunk 6.0.3 to 6.2.1?

Hemnaath
Motivator

Hi All, Ours is a distributed environment and I am planning to upgrade Splunk search heads which are currently running with the version 6.0.3 to 6.2.1. to sync the version with other Splunk components as they are already running with 6.2.1.

Both the search head are installed in VM Linux environment (Red Hat Enterprise Linux Server release 6.7 (Santiago) ).

Using splunk as sudo root user

Steps to upgrade –
Search head 01
1) Initial steps before doing the upgrade need to take the entire configuration step up backed up by executing ./splunk diag
2) Once the entire splunk folder is backed up, need to stop the splunk service by executing the below command
/opt/splunk/bin/splunk stop
3) Remove the entire splunk folder by executing the rm –rf command
rm –rf /opt/splunk

4) Download the splunk version Splunk 6.2.1 (build 245427) from this link
https://www.splunk.com/eula/splunk/6.2.1?redirecturl=https%3A%2F%2Fwww.splunk.com%2Fpage%2Fdownload_...

5) Install the tar file in under the /opt directory by executing the below command.
tar xvzf splunk-6.2.1-245427-Linux-x86_64.tgz -C /opt

6) Once installed then start the splunk service by executing the below command

/opt/splunk/bin/ splunk start --accept-license

7) Follow the same steps for another search head 02

kindly guide me whether these are steps should be followed to upgrade from 6.0.3 to 6.2.1 and also about splunk shared pooling server.
Thanks in Advance.

Labels (3)
0 Karma

Masa
Splunk Employee
Splunk Employee

Will the following link explains SHP upgrade,
http://docs.splunk.com/Documentation/Splunk/6.4.3/Installation/UpgradeyourdistributedSplunkEnterpris...

"splunk diag" does not collect all configuration. For backup, etc directory at least, and potentially var/lib/persistentstorage, var/lib/fishbucket and var/run/splunk/csv (this path might not be correct in v6.2.x). The csv folder might be empty if no one used "outputcsv" command.

Hemnaath
Motivator

Hi Masa, I had tried to install the splunk 6.0.3 version in one of the test servers, but unfortunately after installing the splunk 6.0.3 and accepting the license agreement, when I tried to login via Splunk web I am getting notified with license expiry for this version only, Whereas when I tried to install different version of splunk like 6.2.1, 6.3.3 ,6.4.1 , 6.5.0 I am able to login and access the portal.
not sure why I am getting this information only for 6.0.3. Since we have current prod environment is running with 6.0.3, I tired to install the same in test. Kindly advise me why I am getting message and how to over come this.
thanks in advance.

0 Karma

ramprakash
Explorer

Hi .. Could you please explain me the below steps Please

Place the confirmed working apps in the search head pool shared storage area
Copy the apps and user preferences from the search head to the shared storage

0 Karma

ramprakash
Explorer

Hi..were you successful in upgrading the environment?

0 Karma

Hemnaath
Motivator

thanks Masa, but in case of test environment we will have only one splunk instance (free license), so in this case how do you test. Whereas in case of production we have two instance specifically designed as Splunk search head portal and connected with another server for Shared search head pooling.

Going for the splunk professional that is not under my control as it should be decided by management.

So could you please provide me the exact steps that I need to follow to do the upgrade as its pending for many months.

Kindly guide me on this.

thanks in advance.

0 Karma

Masa
Splunk Employee
Splunk Employee

Free trial license should be able to build multi-instance test environment. You really should play around with SHP. Without it, most likely you run into something you're not sure what you're doing.

If you read document and could not understand what it means, probably you're not ready to do it in prod environment.

  1. Certificates should not be affected in SHP in general.

  2. Two questions you had above.
    Place the confirmed working apps in the search head pool shared storage area
    => Those apps are coming from Search Head you tested in "Prepare the upgrade".
    Copy the apps and user preferences from the search head to the shared storage
    => Before this steps, you already upgraded and tested in one of SH in SHP. Once it worked, you copy the apps and users directories to SHP shared path.

3) You can disable SHP configuration to remove a search head so that the SH won't check the shared location.

I cannot really tell exact expected steps to work for your environment.
All I can tell is similar to the doc as default behavior if you do not have any custom things it may or may not work.

My advices would be;
1. You test how SHP works and update in test environment using virtual machines. This is very important before changing production environment.

  1. Contact your sales rep and ask for help for a little more detail if you're still not sure how to do upgrade after reviewing the doc and testing it in test env.

  2. If you run into problem at migration stage, file a Support case and upload diags to the Support case for troubleshooting.

0 Karma

Hemnaath
Motivator

Hi Masa, can you guide me on below points as its being done in PRD Environment, want to make sure nothing goes wrong. Kindly guide me thanks in advance.

0 Karma

Masa
Splunk Employee
Splunk Employee

Sorry but I think you should try it in test environment several times before trying it in prod environment if this is your first time. Or, considering professional service would be a safe direction.

0 Karma

Hemnaath
Motivator

thanks Masa for providing the required details. Since I am going upgrade the version directly in production environment, want to be double sure about doing this.

I have the following doubts on upgrading.

1) We are not using Splunk default root certificate for communication, so when I upgrade whether the splunk automatically fetch the required certificate information or do I need copy paste the same from back up.

2) I did not understand these two steps mentioned in the documents, Copy the apps and user preferences from the search head to the shared storage.
Place the confirmed working apps in the search head pool shared storage area
Copy the apps and user preferences from the search head to the shared storage

3) How to remove the search head from shared pooling ?

As this is my first attempt on making this changes in splunk on production, want to get clarified all my doubts. Kindly guide me on this.

thanks in advance.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...