Splunk Enterprise

Can I have indexers with multiple versions in Indexer Cluster (7.3.4 and 8.0.5)

VasukiPramod
Explorer

We are planning to upgrade our multi-site cluster from Splunk Core ES 7.3.4 to 8.0.5 in a phase-wise manner.

Splunk Documentation indicates " Indexers that run versions of Splunk Enterprise lower than 8.0 cannot handle bucket replications from versions that run 8.0 and higher" and hence to put the cluster in maintenance mode while Indexer cluster upgrade is in Progress.

Now, since it's a multi-site cluster can I upgrade my indexer cluster in site-1 today and site-2 tomorrow?

And in such case do I need to extend the maintenance mode on cluster for two days?

Or else can I have my indexer cluster with multiple versions of Indexers till the upgrade finishes...

Labels (3)
0 Karma

lakshman239
SplunkTrust
SplunkTrust

As @soutamo suggested, keep the upgrade windows as small as possible. Ideally if you could upgrade all indexers in site 1 on day 1, and site 2 on day 2, that would be good. You only need to put the clusters in mtce mode during the upgrade. After the upgrade of site 1, allow time for bucket fixes /health of the cluster to be back to normal [ SF/RF factors ] and then upgrade the site 2. Use the docs and if possible, test in a diff env.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I haven't try this by myself, but as instructions said that I definitely follow up this.

Is your cluster so big that you cannot do it in one day or are there any other reason why you want to extend it to two day? Any how this is good to practice in test environment before do it in production.

r. Ismo

0 Karma

VasukiPramod
Explorer

Yes. We have a multi-site cluster with 20+ Indexers in each site. 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

There is instructions how you can do this update for multisite cluster one site at time. I suppose that you could do it event as a rolling upgrade (haven't try it myself, yet). https://docs.splunk.com/Documentation/Splunk/8.0.6/Indexer/Searchablerollingupgrade

I don't believe that there are any big issues if your update time schedule is not too long. Try to keep it as short as possible, even it takes couple of days. 

r. Ismo

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...