Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- reboot splunk instance after OS patching
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We patch our OS last week and OS admin advise us to reboto the Indexers once. we have multistie scenerios. (6+6).
Please suggest a best method to reboot OS without effecting index searching capability.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest you perform the proposed activity on a test server [ can be single instance, if you don't have a cluster setup] which same OS level patches/versions and same version of splunk instance as prod. This can prove that the reboot of the OS works fine and the splunk starts up clean.
- Ensure your instances are setup boot enable splunk
- watch for any errors in splunkd.logs and python logs related to OS and splunk apps/add-ons on your instance
- If you are happy, you can select a quite period [ out of office hours, when the load and incoming data is minimal], put the master in maintenance mode, restart/reboot the cluster master and ensure it comes up and all peer nodes connect successfully.
- take out each search peer on to a maintenance mode or offline (ensure they are are in maintenance mode) and reboot and re-enable them
- between each peer node reboot, ensure the nodes
You may also want to refer to https://answers.splunk.com/answers/352976/what-is-the-correct-procedure-to-patch-the-os-and.html
https://docs.splunk.com/Documentation/Splunk/7.1.0/Indexer/Upgradeacluster#Upgrade_to_a_maintenance_...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest you perform the proposed activity on a test server [ can be single instance, if you don't have a cluster setup] which same OS level patches/versions and same version of splunk instance as prod. This can prove that the reboot of the OS works fine and the splunk starts up clean.
- Ensure your instances are setup boot enable splunk
- watch for any errors in splunkd.logs and python logs related to OS and splunk apps/add-ons on your instance
- If you are happy, you can select a quite period [ out of office hours, when the load and incoming data is minimal], put the master in maintenance mode, restart/reboot the cluster master and ensure it comes up and all peer nodes connect successfully.
- take out each search peer on to a maintenance mode or offline (ensure they are are in maintenance mode) and reboot and re-enable them
- between each peer node reboot, ensure the nodes
You may also want to refer to https://answers.splunk.com/answers/352976/what-is-the-correct-procedure-to-patch-the-os-and.html
https://docs.splunk.com/Documentation/Splunk/7.1.0/Indexer/Upgradeacluster#Upgrade_to_a_maintenance_...
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
