Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

What to do first: Cluster Indexers, then Upgrade Linux, or upgrade Linux, then cluster indexers?

gozulin
Communicator
‎08-11-2016 11:11 AM

We have 2 indexers (one site) that are running on Redhat 6.2 that we want to upgrade to 6.7 for security reasons.

We also want to cluster them.

Should we cluster first, then upgrade the OS on one indexer at a time, or upgrade them, then cluster them?

Which is less risky?

Currently, all our forwarders are configured so they can send to both Indexers, like so:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]

server = 10.1.1.2:9997 , 10.1.1.3:9997
useACK=true

[tcpout-server://10.1.1.2:9997]
[tcpout-server://10.1.1.3:9997]

So either way, stopping one indexer should make the forwarders send to the other indexers, cluster or no cluster, am I right?

The only difference I can see is if we cluster first, search results would not be impacted during our maintenance window.

So, what say thee?

Labels (3)
Labels
0 Karma
Reply

Yasaswy
Contributor
‎08-11-2016 01:28 PM

Hi gozulin,
stopping one indexer should make the forwarders send to the other indexers, cluster or no cluster, am I right? yes
As per clustering, you would need a minimum of 3 indexers. Just by the info provided above, I don't think you can cluster above 2 mentioned indexers for HA.

So you cannot avoid disruption of service (searches would have incomplete data) during the upgrade... but as you mentioned above you are not loosing any inbound data.

If you have a new server available for indexer ... then yes cluster first and upgrade one server at a time so you have no service disruption. If service disruption in not a big deal... it's cleaner/easier to upgrade first and cluster 🙂

0 Karma
Reply

gozulin
Communicator
‎08-12-2016 05:46 AM

how is it cleaner/easier to upgrade first and then cluster?

0 Karma
Reply

Yasaswy
Contributor
‎08-12-2016 07:47 AM

When you cluster splunk you typically will have more things to consider than you would in the current state. Clustering itself will require some amount of planning (even with just 2 peer nodes and a cluster master). So assuming service interruption is acceptable ... to me the easier option (relatively speaking) appears to be finishing off the upgrade first and plan and do cluster deployment later.... So I am coming from the perspective that you need to pick one of these 2 choices immediately.

0 Karma
Reply

somesoni2
Revered Legend
‎08-11-2016 02:29 PM

For indexer cluster, there is no minimum node requirement (2 will do as well). The number of nodes required is depending upon the replicationFactor (no of node in indexer cluster=replication factor).

Reply

Yasaswy
Contributor
‎08-11-2016 07:14 PM

True. Thanks for correcting 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...