Installation

Maintenance-Mode versus offfline

mike_k
Path Finder

I'm trying to understand the distinction between when I would use splunk enable maintenance-mode on my Cluster Master versus using the Splunk offline on an individual Indexer within the cluster.

I understand that splunk enable maintenance-mode is done for the over-all cluster and "halts most bucket fixup activity and prevents frequent rolling of hot buckets." Whereas Splunk offline is used on an individual cluster to "shutdown the peer in a way that does not affect existing searches."

Does the Splunk offline command also cause the Cluster Master to halt bucket fixup activity at the cluster level or is there a benefit in first running splunk enable maintenance-mode on the cluster master before running Splunk offline on the Indexer?

Most of the time, I would be doing OS level maintenance activities (e.g Windows updates) on one Indexer at a time and really just trying to determine the best practise method ..... where Splunk doesn't have a bunch of bucket fixing to do afterwards.

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

as you know maintenance mode disable all fix up tasks in cluster. Basically splunk offline means that when service/ splunk goes down, it first assigned it’s primary buckets to other nodes so new searches could find all data. It didn’t affect to maintenance mode. Splunk offline could affect current searches. 

We are also using maintenance mode + offline mainly for OS or storage maintenance stuff.

Basically you should do first enable maintenance mode then offline node by node. Depending on your environment you should disable maintenance mode after each node is up and wait that bucket replication and fix up tasks ha# done and then continue from 1st step.

r. Ismo

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

as you know maintenance mode disable all fix up tasks in cluster. Basically splunk offline means that when service/ splunk goes down, it first assigned it’s primary buckets to other nodes so new searches could find all data. It didn’t affect to maintenance mode. Splunk offline could affect current searches. 

We are also using maintenance mode + offline mainly for OS or storage maintenance stuff.

Basically you should do first enable maintenance mode then offline node by node. Depending on your environment you should disable maintenance mode after each node is up and wait that bucket replication and fix up tasks ha# done and then continue from 1st step.

r. Ismo

mike_k
Path Finder

Thanks for that info.

Much appreciated.

0 Karma
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...