I'm running 6.6.2 in multi-site clustered configuration. Read This First tells me:
Splunk Enterprise supports the following upgrade paths to version 7.1 of the software:
From version 6.5 or later to 7.1 on full Splunk Enterprise.
From version 6.5 or later to 7.1 on Splunk universal forwarders.
If you run a version of Splunk Enterprise prior to 6.5:
Upgrade from your current version to version 6.5.
Upgrade to version 7.1.
However, Upgrade an Index Cluster cautions:
Caution: You cannot perform a site-by-site upgrade if you are upgrading across more than one minor version (for example, from 6.4 to 6.6). To upgrade across multiple minor versions, you must take down all peer nodes across all sites during the upgrade process.
I'm planning on taking the most careful approach but it makes me wonder which one is really correct as this is contradictory in my reading. Is the latter caution just an artifact from an earlier documentation version? Does one apply to clustered configurations and the other to non-clustered? The documentation is notorious, in my opinion, of NOT clearly distinguishing between differing environments.
While I would highly recommend not upgrading a production environment to a .0 release, if you're going to do it the main concerns are
So for you, you want to follow the standard cluster upgrade procedure: master, search, master in maintenance mode, then when you get to indexing layer, because multi-site, you want them all off before starting as you're doing a major release. It seems like 7.1 will introduce a better upgrade procedure so maybe this would be your last time doing it exactly this way.
The docs indicate when upgrading a multi-site cluster you can go site-by-site but ONLY if you're doing a minor version. Confusing cause they don't list your exact plan to go from 6.6 to 7.1. If I were you, I'd take down all the indexers at all sites, upgrade one site, start it, then move to the next site (again, this is all part of step 3 in the tier'd approach listed).
Thank you for taking the time to answer. My question is how do I interpret the documentation? There are two different directives on upgrading. Again, I am occasionally perplexed when it comes to understanding which statements apply to clustered vs non-clustered configurations.
Meanwhile, I gather you prefer the 'no more than one minor release' approach, which is what I intend to follow. I'm reaching out to all of you who have more hands on experience with the software than I do. I'm a one man band here and so it is important to measure twice, cut once.
I don't really see the contradiction here. The first part you quoted says that you can upgrade a Splunk Enterprise instance directly from any 6.5+ version to 7.1. The second part is specifically about the restrictions when you want to do a site-by-site upgrade of a multi-site cluster - you can only do that when the you want to upgrade a single minor version. You can still upgrade a multi-site cluster directly from any 6.5+ to 7.1 , but then you have to take down the whole cluster, across all sites.
Basically there are two options for you to upgrade your multi-site cluster from 6.6 to 7.1: