Installation

Maintenance-Mode versus offfline

mike_k
Path Finder

I'm trying to understand the distinction between when I would use splunk enable maintenance-mode on my Cluster Master versus using the Splunk offline on an individual Indexer within the cluster.

I understand that splunk enable maintenance-mode is done for the over-all cluster and "halts most bucket fixup activity and prevents frequent rolling of hot buckets." Whereas Splunk offline is used on an individual cluster to "shutdown the peer in a way that does not affect existing searches."

Does the Splunk offline command also cause the Cluster Master to halt bucket fixup activity at the cluster level or is there a benefit in first running splunk enable maintenance-mode on the cluster master before running Splunk offline on the Indexer?

Most of the time, I would be doing OS level maintenance activities (e.g Windows updates) on one Indexer at a time and really just trying to determine the best practise method ..... where Splunk doesn't have a bunch of bucket fixing to do afterwards.

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

as you know maintenance mode disable all fix up tasks in cluster. Basically splunk offline means that when service/ splunk goes down, it first assigned it’s primary buckets to other nodes so new searches could find all data. It didn’t affect to maintenance mode. Splunk offline could affect current searches. 

We are also using maintenance mode + offline mainly for OS or storage maintenance stuff.

Basically you should do first enable maintenance mode then offline node by node. Depending on your environment you should disable maintenance mode after each node is up and wait that bucket replication and fix up tasks ha# done and then continue from 1st step.

r. Ismo

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

as you know maintenance mode disable all fix up tasks in cluster. Basically splunk offline means that when service/ splunk goes down, it first assigned it’s primary buckets to other nodes so new searches could find all data. It didn’t affect to maintenance mode. Splunk offline could affect current searches. 

We are also using maintenance mode + offline mainly for OS or storage maintenance stuff.

Basically you should do first enable maintenance mode then offline node by node. Depending on your environment you should disable maintenance mode after each node is up and wait that bucket replication and fix up tasks ha# done and then continue from 1st step.

r. Ismo

mike_k
Path Finder

Thanks for that info.

Much appreciated.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...