Installation

Maintenance-Mode versus offfline

mike_k
Path Finder

I'm trying to understand the distinction between when I would use splunk enable maintenance-mode on my Cluster Master versus using the Splunk offline on an individual Indexer within the cluster.

I understand that splunk enable maintenance-mode is done for the over-all cluster and "halts most bucket fixup activity and prevents frequent rolling of hot buckets." Whereas Splunk offline is used on an individual cluster to "shutdown the peer in a way that does not affect existing searches."

Does the Splunk offline command also cause the Cluster Master to halt bucket fixup activity at the cluster level or is there a benefit in first running splunk enable maintenance-mode on the cluster master before running Splunk offline on the Indexer?

Most of the time, I would be doing OS level maintenance activities (e.g Windows updates) on one Indexer at a time and really just trying to determine the best practise method ..... where Splunk doesn't have a bunch of bucket fixing to do afterwards.

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

as you know maintenance mode disable all fix up tasks in cluster. Basically splunk offline means that when service/ splunk goes down, it first assigned it’s primary buckets to other nodes so new searches could find all data. It didn’t affect to maintenance mode. Splunk offline could affect current searches. 

We are also using maintenance mode + offline mainly for OS or storage maintenance stuff.

Basically you should do first enable maintenance mode then offline node by node. Depending on your environment you should disable maintenance mode after each node is up and wait that bucket replication and fix up tasks ha# done and then continue from 1st step.

r. Ismo

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

as you know maintenance mode disable all fix up tasks in cluster. Basically splunk offline means that when service/ splunk goes down, it first assigned it’s primary buckets to other nodes so new searches could find all data. It didn’t affect to maintenance mode. Splunk offline could affect current searches. 

We are also using maintenance mode + offline mainly for OS or storage maintenance stuff.

Basically you should do first enable maintenance mode then offline node by node. Depending on your environment you should disable maintenance mode after each node is up and wait that bucket replication and fix up tasks ha# done and then continue from 1st step.

r. Ismo

mike_k
Path Finder

Thanks for that info.

Much appreciated.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...