Installation

Upgrade multiple clusters splunk from 7.1.0 to 7.2.7

Chamrong
Explorer

Hi All

I have two splunk clusters. Each cluster has 2 sites
Cluster 1 Site 1: 3 Search Head, License Master, Index cluster master, 4 indexer, Deployment server, Search Head deployer/HF2, and HF1
Cluster 1 Site 2: 4 indexer, Deployment server, Warm Standby License Master, Warm Standby indexer cluster master, Search Head deployer/HF2, and HF1 (No search head in site 2)
Cluster 2 Site 1: Index cluster master, 4 indexer, Deployment server, HF2, and HF1
Cluster 2 Site 2: 4 indexer, Deployment server, HF2, and HF1

I am working on upgrading from 7.1.0 to 7.2.7. What is the sequence of upgrade?

is each cluster upgrade independently? if so, can I follow this procedure? https://docs.splunk.com/Documentation/Splunk/7.2.7/Indexer/Upgradeacluster

  1. Upgrade cluster 1
  2. Make sure all working (all host up, SF and RF are met)
  3. Upgrade cluster 2
  4. Make sure all working(all host up, SF and RF are met)

Do I have to change the index.conf of the default stanza after step 14?
[default]
tsidxWritingLevel=2

Labels (4)

Chamrong
Explorer

Hi all

I already did the upgrade. I did abit different path.

Treat each cluster separately. It is like two Splunk instants

in clustser 1, I upgrade in order of
1. Index cluster master
2. ALL search head and Indexer (all sites). It is because search head is only exist in site1. Data being ingest only from site1
3. license master, SH deployer, deploer, HF

In cluster 2,
1. Index cluster master
2. ALL indexer (because ongested from 1 site)
3. Deploer, HF

I got 8 mins downtimes, but it goes smooth.

Chamrong

BainM
Communicator

Thank you very much. Upvoted!

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Yes, if the clusters are not talking to each other than you should be fine to follow the normal documentation. If they are not independent, let us know how they communicate to each other.

See What's the order of operations for upgrading Splunk Enterprise? for the answer.

BainM
Communicator

Hello @Chamrong -

Were you able to accomplish the upgrade using the methods you guys talk about here? Did you encounter any issues? We want to do something similar.

Thanks!
Mike

0 Karma

Chamrong
Explorer

Hi @SloshBurch
Cluster1 and Cluster2 has it's own indexer cluster master, but they share same Search Head cluster (Search Head cluster from Cluster1 search data to both Cluster 1 and Cluster2)

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Oh ok. So check out that link I previously provided but I'm pretty sure it will show you that you merely upgrade the indexers last. Therefore, your search heads being shared will be not an issue because they will be on the latest before any cluster starts upgrading.

Does that make sense to you?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...