Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I have indexers with multiple versions in Indexer Cluster (7.3.4 and 8.0.5)

VasukiPramod
Explorer
‎09-06-2020 08:42 PM

We are planning to upgrade our multi-site cluster from Splunk Core ES 7.3.4 to 8.0.5 in a phase-wise manner.

Splunk Documentation indicates " Indexers that run versions of Splunk Enterprise lower than 8.0 cannot handle bucket replications from versions that run 8.0 and higher" and hence to put the cluster in maintenance mode while Indexer cluster upgrade is in Progress.

Now, since it's a multi-site cluster can I upgrade my indexer cluster in site-1 today and site-2 tomorrow?

And in such case do I need to extend the maintenance mode on cluster for two days?

Or else can I have my indexer cluster with multiple versions of Indexers till the upgrade finishes...

Labels (3)
0 Karma
Reply

lakshman239
SplunkTrust
SplunkTrust
‎09-10-2020 06:15 AM

As @soutamo suggested, keep the upgrade windows as small as possible. Ideally if you could upgrade all indexers in site 1 on day 1, and site 2 on day 2, that would be good. You only need to put the clusters in mtce mode during the upgrade. After the upgrade of site 1, allow time for bucket fixes /health of the cluster to be back to normal [ SF/RF factors ] and then upgrade the site 2. Use the docs and if possible, test in a diff env.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-06-2020 10:57 PM

Hi

I haven't try this by myself, but as instructions said that I definitely follow up this.

Is your cluster so big that you cannot do it in one day or are there any other reason why you want to extend it to two day? Any how this is good to practice in test environment before do it in production.

r. Ismo

0 Karma
Reply

VasukiPramod
Explorer
‎09-10-2020 04:04 AM

Yes. We have a multi-site cluster with 20+ Indexers in each site. 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-10-2020 04:14 AM

There is instructions how you can do this update for multisite cluster one site at time. I suppose that you could do it event as a rolling upgrade (haven't try it myself, yet). https://docs.splunk.com/Documentation/Splunk/8.0.6/Indexer/Searchablerollingupgrade

I don't believe that there are any big issues if your update time schedule is not too long. Try to keep it as short as possible, even it takes couple of days. 

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...