I need to upgrade my current Splunk multi cluster environment from 6.0.1 to 7.2.3.
Present Infrastructure where Splunk 6.0.1 is present:-
Futuristic Infrastructure where Splunk 7.2.3 will be deployed. I have ordered completely new devices. Once upgrade is done, we will decommission old infrastructure
My biggest challenge is I want to transfer all the data from old(6.0.1) system to new(7.2.3) system. How can this be achieved ?
What is the Step by Step process to follow ? Any help will be highly appreciated.
I have written a whole essay before realising that we need more information first. Are you planning to add the new servers into the existing multi-site cluster? Because this will make it a lot easier.
Hi..I am installing completely new hardware first and then moving all the data to them..What is the best way to do this..are there any procedural steps
Well, the easiest way would be to include the new server insto the existing cluster and then decomission the old ones, like woodcock wrote. Everything else is kind of complicated and no step-by-step procedure available that I know of.
I would make the old servers a multi-site cluster and put the new servers as a second site. Let the CM go crazy (it will crash many times), then decommission the old site.
The CM is a "start from scratch" node and does not record any state anywhere. If you simply point the Indexers to a new CM and restart everything, it will get sorted out quickly without any admin steps.
If you are standing up a new cluster on new hardware, and want to transfer your indexes over it is pretty straightforward, if you have an identical number of indexers. If not, it becomes a bit more complicated.
If you do though, here are the high level steps:
On new cluster:
Deploy your existing indexes.conf but set the index(es) to disabled = 1
On old cluster:
Roll all hot buckets to warm
Disable the index
From old cluster indexers to new cluster indexes:
rsysnc -az /path/to/your/data newindexername:/path/to/your/data/
Repeat that for each path defined (hot,warm,cold,etc), for each index, and for each indexer (oldindexer02 to newindexer02 e.g.).
On the new cluster:
Verify/update user:group ownerships on the new data paths (chown -RP splunk:splunk /path/to/your/data/ e.g.).
Enable the index
Splunk may do some housekeeping, so to speak, once you enable the index. But after that you should be good.