Installation

Maintenance-Mode versus offfline

mike_k
Path Finder

I'm trying to understand the distinction between when I would use splunk enable maintenance-mode on my Cluster Master versus using the Splunk offline on an individual Indexer within the cluster.

I understand that splunk enable maintenance-mode is done for the over-all cluster and "halts most bucket fixup activity and prevents frequent rolling of hot buckets." Whereas Splunk offline is used on an individual cluster to "shutdown the peer in a way that does not affect existing searches."

Does the Splunk offline command also cause the Cluster Master to halt bucket fixup activity at the cluster level or is there a benefit in first running splunk enable maintenance-mode on the cluster master before running Splunk offline on the Indexer?

Most of the time, I would be doing OS level maintenance activities (e.g Windows updates) on one Indexer at a time and really just trying to determine the best practise method ..... where Splunk doesn't have a bunch of bucket fixing to do afterwards.

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

as you know maintenance mode disable all fix up tasks in cluster. Basically splunk offline means that when service/ splunk goes down, it first assigned it’s primary buckets to other nodes so new searches could find all data. It didn’t affect to maintenance mode. Splunk offline could affect current searches. 

We are also using maintenance mode + offline mainly for OS or storage maintenance stuff.

Basically you should do first enable maintenance mode then offline node by node. Depending on your environment you should disable maintenance mode after each node is up and wait that bucket replication and fix up tasks ha# done and then continue from 1st step.

r. Ismo

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

as you know maintenance mode disable all fix up tasks in cluster. Basically splunk offline means that when service/ splunk goes down, it first assigned it’s primary buckets to other nodes so new searches could find all data. It didn’t affect to maintenance mode. Splunk offline could affect current searches. 

We are also using maintenance mode + offline mainly for OS or storage maintenance stuff.

Basically you should do first enable maintenance mode then offline node by node. Depending on your environment you should disable maintenance mode after each node is up and wait that bucket replication and fix up tasks ha# done and then continue from 1st step.

r. Ismo

mike_k
Path Finder

Thanks for that info.

Much appreciated.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...