Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What to do first: Cluster Indexers, then Upgrade Linux, or upgrade Linux, then cluster indexers?

gozulin
Communicator
‎08-11-2016 11:11 AM

We have 2 indexers (one site) that are running on Redhat 6.2 that we want to upgrade to 6.7 for security reasons.

We also want to cluster them.

Should we cluster first, then upgrade the OS on one indexer at a time, or upgrade them, then cluster them?

Which is less risky?

Currently, all our forwarders are configured so they can send to both Indexers, like so:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]

server = 10.1.1.2:9997 , 10.1.1.3:9997
useACK=true

[tcpout-server://10.1.1.2:9997]
[tcpout-server://10.1.1.3:9997]

So either way, stopping one indexer should make the forwarders send to the other indexers, cluster or no cluster, am I right?

The only difference I can see is if we cluster first, search results would not be impacted during our maintenance window.

So, what say thee?

Labels (3)
Labels
0 Karma
Reply

Yasaswy
Contributor
‎08-11-2016 01:28 PM

Hi gozulin,
stopping one indexer should make the forwarders send to the other indexers, cluster or no cluster, am I right? yes
As per clustering, you would need a minimum of 3 indexers. Just by the info provided above, I don't think you can cluster above 2 mentioned indexers for HA.

So you cannot avoid disruption of service (searches would have incomplete data) during the upgrade... but as you mentioned above you are not loosing any inbound data.

If you have a new server available for indexer ... then yes cluster first and upgrade one server at a time so you have no service disruption. If service disruption in not a big deal... it's cleaner/easier to upgrade first and cluster 🙂

0 Karma
Reply

gozulin
Communicator
‎08-12-2016 05:46 AM

how is it cleaner/easier to upgrade first and then cluster?

0 Karma
Reply

Yasaswy
Contributor
‎08-12-2016 07:47 AM

When you cluster splunk you typically will have more things to consider than you would in the current state. Clustering itself will require some amount of planning (even with just 2 peer nodes and a cluster master). So assuming service interruption is acceptable ... to me the easier option (relatively speaking) appears to be finishing off the upgrade first and plan and do cluster deployment later.... So I am coming from the perspective that you need to pick one of these 2 choices immediately.

0 Karma
Reply

somesoni2
Revered Legend
‎08-11-2016 02:29 PM

For indexer cluster, there is no minimum node requirement (2 will do as well). The number of nodes required is depending upon the replicationFactor (no of node in indexer cluster=replication factor).

Reply

Yasaswy
Contributor
‎08-11-2016 07:14 PM

True. Thanks for correcting 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...