Solved: upgrade Splunk 6.4 to splunk 6.5

mintughosh · ‎05-28-2017

Currently, we have splunk 6.4 installed on our distributed enviroment. In our enviroment, we have 3 search heads, 2 indexers and 1 master server that act as licensing and deployment server and 1 heavy forwarder. We need to upgrade to Splunk 6.5. The search heads and indexers are in clustered. How do I go ahead ? What would be rollback options.

skalliger · ‎05-29-2017

Hi,

the upgrading process for indexer clusters is described here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/Upgradeacluster

When you want do an upgrade, you can not do a rolling-update which means you need to upgrade all instances before bringing them back online.

An upgrade is simply replacing the files in your installation destination (like /opt/splunk/). So, a simple backup would be to backup your splunk directory before upgrading.

splunk stop on your master
splunk stop on Indexers and Search Heads
Upgrade your master (http://docs.splunk.com/Documentation/Splunk/6.5.2/Installation/Upgradeto6.5onUNIX)
replace files from the release in your installation directory on your master (e.g. tar zxf splunk-6.x.x-.tgz -C /opt/)
splunk start on your master, confirm the migration and upgrade process, accept license if needed.
enable the maintenance-mode on your master
Repeat the upgrade step on all indexers and search heads
after all peers have been upgraded and started successfully, disable the maintenance-mode
all peers must be on the same maintenance level (e.g. 6.5.2) and must not be a higher version than your master.

Any more questions?

Skalli

Edit: typo

View solution in original post

skalliger · ‎05-29-2017

Hi,

the upgrading process for indexer clusters is described here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/Upgradeacluster

When you want do an upgrade, you can not do a rolling-update which means you need to upgrade all instances before bringing them back online.

An upgrade is simply replacing the files in your installation destination (like /opt/splunk/). So, a simple backup would be to backup your splunk directory before upgrading.

splunk stop on your master
splunk stop on Indexers and Search Heads
Upgrade your master (http://docs.splunk.com/Documentation/Splunk/6.5.2/Installation/Upgradeto6.5onUNIX)
replace files from the release in your installation directory on your master (e.g. tar zxf splunk-6.x.x-.tgz -C /opt/)
splunk start on your master, confirm the migration and upgrade process, accept license if needed.
enable the maintenance-mode on your master
Repeat the upgrade step on all indexers and search heads
after all peers have been upgraded and started successfully, disable the maintenance-mode
all peers must be on the same maintenance level (e.g. 6.5.2) and must not be a higher version than your master.

Any more questions?

Skalli

Edit: typo

andrey2007 · ‎05-29-2017

I think you should start from reading the docs

https://docs.splunk.com/Documentation/Splunk/6.5.3/Installation/HowtoupgradeSplunk

And here you can find info about downgrading for Unix for example(rollback)
Splunk Enterprise does not provide a means of downgrading to previous versions. If you need to revert to an older Splunk release, uninstall the upgraded version and reinstall the version you want.

upgrade Splunk 6.4 to splunk 6.5

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?