We are planning to upgrade our Enterprise Splunk from 6.2.0 to 7.0. We are currently running single indexer and searchhead on windows server which are on 6.2 and we have forwarders running on linux and windows servers which are on 6.2.5 .
If I have to plan the upgrade, what is the order that i need to follow? i:e upgrade indexer first and than forwarders?
Also I would like to know if there is a runplan or steps on how to upgrade the indexer? and the dependencies and requirements that I need to be aware of while upgrading?
I am reading a lot of doc's but i'm lost. Any help would be greatly appreciated.
"A single indexer and searchead" <-- do you mean a single windows box? Or do you mean a single indexer box and another single searchhead box?
Short version: Make backup. Confirm backup. Upgrade Splunk (if they're only one server) OR Upgrade Search Head, then upgrade Indexer (if they're separate). Later you can and should upgrade the forwarders.
If the former - one single server for both roles, then you have no clustering so just download the new Splunk version and upgrade it. Here's the link in the docs that starts you off. Before pulling that trigger, though, read what will change when you upgrade to 7 first. Most of these things shouldn't affect you, but read through it anyway. Then, obviously MAKE A BACKUP and test it! After you have a known-good backup, you can proceed to upgrade your server (which is literally just download it, double-click it and click next a lot.)
Your forwarders can be upgraded any time later - it's best to keep them more or less up to date, but they'll work against 7.0.2 as they are (as long as they're version 6).
If the latter - you have a Splunk Indexer and a Splunk Search Head, then do the above steps - did I mention to make sure you have a good backup? - but you'll do the Search Heads first, then when they're done do the indexers. It shouldn't be any more complex than that.
Also as with the former case, then later yuo can do your forwarders, but no hurry.
Thank you for the response rich7111.
We have both(one Indexer and a searchhead) on a single windows server. ( No clustering involved ). And we have around 600 GB of Indexed (Cold/thwaed) data.
I will check with the team taking backup of existing Indexed data. Incase if its not a feasible option, updating the Indexer should not effect the Indexed data right?
Actually it does affect indexed data in this case - I think it was 6.3 or 6.4 that when you upgrade through/past it actually does change/upgrade something in the indexed data. (BTW, this process can take a while - be patient!)
But right it shouldn't affect the data in a way that's likely to break it.
But backups aren't for "When things work right." Backups are for exactly when things don't work as planned.
So I will say nice and loudly - if you aren't backing up your Splunk box, and its data, then you need to start doing that. A system that isn't backed up is as good as gone, because it WILL go away at some point.
Soapbox done. You've been warned. But you honestly can make whatever decision you want. It'll probably be fine. This time. 🙂
Thank you Rich, for your valuable inputs, i am making sure that necessary backups are taken for Cold data indexes.
Also I want to check with you,regarding the forwarders, At this time we are only upgrading the Indexer and searchhead but not the forwarders, Our forwarders are on 6.2.5, we should not be having forwarding issues from forwarders on 6.2.5 to Indexer on 7.0.2 I believe, but can you please confirm as well.
Yes. Here are the docs on UF to Indexer compatibility and they explicitly mention in the middle of the second section that ...
An indexer that is version 6.6 or later, including 7.0, can receive data from a forwarder that is version 6.0 or later, including 7.0.
And that fits with what I've experienced. Obviously, I can't guarantee that, but I am pretty sure you shouldn't have any issues.
Thank you so much Rich.
I hope it works , because we will be upgrading the forwarders later during deployment of apps via chef.