Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Maintenance-Mode versus offfline

mike_k
Path Finder
‎06-03-2021 10:05 PM

I'm trying to understand the distinction between when I would use splunk enable maintenance-mode on my Cluster Master versus using the Splunk offline on an individual Indexer within the cluster.

I understand that splunk enable maintenance-mode is done for the over-all cluster and "halts most bucket fixup activity and prevents frequent rolling of hot buckets." Whereas Splunk offline is used on an individual cluster to "shutdown the peer in a way that does not affect existing searches."

Does the Splunk offline command also cause the Cluster Master to halt bucket fixup activity at the cluster level or is there a benefit in first running splunk enable maintenance-mode on the cluster master before running Splunk offline on the Indexer?

Most of the time, I would be doing OS level maintenance activities (e.g Windows updates) on one Indexer at a time and really just trying to determine the best practise method ..... where Splunk doesn't have a bunch of bucket fixing to do afterwards.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-04-2021 02:15 PM

Hi

as you know maintenance mode disable all fix up tasks in cluster. Basically splunk offline means that when service/ splunk goes down, it first assigned it’s primary buckets to other nodes so new searches could find all data. It didn’t affect to maintenance mode. Splunk offline could affect current searches. 

We are also using maintenance mode + offline mainly for OS or storage maintenance stuff.

Basically you should do first enable maintenance mode then offline node by node. Depending on your environment you should disable maintenance mode after each node is up and wait that bucket replication and fix up tasks ha# done and then continue from 1st step.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-04-2021 02:15 PM

Hi

as you know maintenance mode disable all fix up tasks in cluster. Basically splunk offline means that when service/ splunk goes down, it first assigned it’s primary buckets to other nodes so new searches could find all data. It didn’t affect to maintenance mode. Splunk offline could affect current searches. 

We are also using maintenance mode + offline mainly for OS or storage maintenance stuff.

Basically you should do first enable maintenance mode then offline node by node. Depending on your environment you should disable maintenance mode after each node is up and wait that bucket replication and fix up tasks ha# done and then continue from 1st step.

r. Ismo

Reply
Solved! Jump to solution

mike_k
Path Finder
‎06-10-2021 08:46 PM

Thanks for that info.

Much appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...