@vikramyadav @isoutamo @gcusello 

Hi I have tried to upgrade my test which i have created just to test.

Step 1: Upgraded the app which support 8.0

Step 2: Configuration backup Indexer and Heavy Forwarder /etc/system/local/ and /etc/apps/

Step 3. In our environment HF and Indexer are standalone environment. 

I upgraded the Indexer and When i have checked the data was not present which i have ingested on Indexer.

hot bucket rolled to warm bucket

What did i miss ?/

If i will perform same step in production then it would be an issue as i will lose all the data which exists on Indexer.

 

Please help me in that.

 

Note: Our Indexer are not in cluster. It is a standalone system.

 

 

 

Usually you should backup the whole etc directory.

If/when you have followed @gcusello ‘s pointed instructions there shouldn’t be any issues. Can you give the journal what you have done and where, so we could try to help you?

Unfortunately I have found that all those apps which have said to be a compatible for 8 haven’t that. So you must down load https://splunkbase.splunk.com/app/4698/ and check those (especially python parts) by yourself and fix what is needed before update.
r. Ismo

Hi
you should remember that you cannot backup hot buckets!

Probably easiest way (if possible) is shutdown splunk and then take volume/filesystem level backup, if/when you want to backup you data also. If it enough to backup only configurations then @gcusello's tar is the easiest way.
r. Ismo

Unsupported does not mean that it does not work.

We have one UF 6.1.4 that sends logs to 8.1.2 Server without any problem. 

@gcusello 

I have upgraded the Splunk instance and thank you for your input.

Can you please help me with one more thing ?

Even i have uploaded the latest Splunk add-on or App for Splunk Enterprise 8.1 even though it was showing me python3 warning in Splunk readliness app ?

Hi @pankajupadhyay,

Good for you,

about your question, did you forced Python3?

if not follow the steps at https://docs.splunk.com/Documentation/Splunk/8.1.2/Installation/Python3LowEffort ?

in few words in  $SPLUNK_HOME/etc/system/local/server.conf set python.version=python3.

Ciao.

Giuseppe

@gcusello  @isoutamo @vikramyadav 

I am about to upgrade the production Splunk servers.

Step 1: Checked the Splunk add-on and App compatabilitty and download the latest one from Splunk base.

Step 2: Configuration backup and file level system backup of Index data.

Step 3: Download the latest Splunk Enterprise 8.0

Step 4: Stop the services of Indexer first and install the latest package and restart the services.

Step 5: Will upgrade the app and add-on 

Step 6: verify eveything is working fine or not .

Step 7: Same procedure for HF then

 

Correct me if am missing out anything here?

 

 

 

That seems to be ok. Here is the official order to upgrade in distributed environment.

https://community.splunk.com/t5/Installation/What-s-the-order-of-operations-for-upgrading-Splunk-Ent...

On step 1 there may be situation that you must update those apps by yourself even those were said to compatible for 8 (at least I have updated couple of them).

r. Ismo

Hi @pankajupadhyay,

yes it's correct.

Remember to force the use of Python3: https://docs.splunk.com/Documentation/Splunk/8.0.5/Python3Migration/ChangesEnterprise#:~:text=versio... after the installation of Splunk 8.x.

Ciao.

Giuseppe

@gcusello @isoutamo @vikramyadav 

After upgradation on Indexer.

Do we have the possitbilities that we can loose the warm bucket as i will roll back hot to warm bucket by using command.

hot,warm,cold bucket are in default location

Frozen is on NFS.

OR do i need to restore the default db for hot,warm,cold bucket ?

 

Regards

Pankaj

Hi @pankajupadhyay,

no, you don't need any intervene on buckets.

Ciao.

Giuseppe

@gcusello  Thank you so much information.

I will go through with the information.  

Hi @pankajupadhyay,

Tell me if you'll need more help.

When you'll finish, please, accept the answer for the otehr people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉