Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you upgrade Splunk Enterprise Security on a test server that points at the same Index layer?

chrisbennett
New Member
‎05-25-2017 08:09 AM

I am planning out the first upgrade of Splunk Enterprise Security (Splunk ES) and am working out how. When we installed the system with Professional Services, we had a test server and our production search head pointing at the same index layer. These were both the same version of ES and allowed us to test some configs. Now that I am working on a major version upgrade (3.3.1 to 4.1.4 to 4.7.1), will it break things having a test server upgraded to 4.1.4 if the 3.3.1 search head is still up? Or is the better strategy now to snapshot the Prod server and upgrade there?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎05-25-2017 10:56 AM

One issue you'll run into by creating a new ES SH to replace your old one is the datamodel acceleration. Each SH that has DM acceleration enabled has its own set of accelerated data on the indexers. This means that you'd be doubled up on DM acceleration storage. This may or may not be OK with you, but it's certainly worth considering before you go down this route.

A potential workaround/solution would be to test your new ES SH without enabling DM acceleration until you're ready to decom the old ES SH. This may cause issues with your indexers if you have more than a few correlation searches enabled at the same time, as the searches will be more expensive to perform. Also worth noting is when you retire your old ES SH you need to look into how to force its accelerated data to be deleted from your indexers.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎05-25-2017 10:56 AM

One issue you'll run into by creating a new ES SH to replace your old one is the datamodel acceleration. Each SH that has DM acceleration enabled has its own set of accelerated data on the indexers. This means that you'd be doubled up on DM acceleration storage. This may or may not be OK with you, but it's certainly worth considering before you go down this route.

A potential workaround/solution would be to test your new ES SH without enabling DM acceleration until you're ready to decom the old ES SH. This may cause issues with your indexers if you have more than a few correlation searches enabled at the same time, as the searches will be more expensive to perform. Also worth noting is when you retire your old ES SH you need to look into how to force its accelerated data to be deleted from your indexers.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...