Splunk Enterprise

Can I have indexers with multiple versions in Indexer Cluster (7.3.4 and 8.0.5)

VasukiPramod
Explorer

We are planning to upgrade our multi-site cluster from Splunk Core ES 7.3.4 to 8.0.5 in a phase-wise manner.

Splunk Documentation indicates " Indexers that run versions of Splunk Enterprise lower than 8.0 cannot handle bucket replications from versions that run 8.0 and higher" and hence to put the cluster in maintenance mode while Indexer cluster upgrade is in Progress.

Now, since it's a multi-site cluster can I upgrade my indexer cluster in site-1 today and site-2 tomorrow?

And in such case do I need to extend the maintenance mode on cluster for two days?

Or else can I have my indexer cluster with multiple versions of Indexers till the upgrade finishes...

Labels (3)
0 Karma

lakshman239
Influencer

As @soutamo suggested, keep the upgrade windows as small as possible. Ideally if you could upgrade all indexers in site 1 on day 1, and site 2 on day 2, that would be good. You only need to put the clusters in mtce mode during the upgrade. After the upgrade of site 1, allow time for bucket fixes /health of the cluster to be back to normal [ SF/RF factors ] and then upgrade the site 2. Use the docs and if possible, test in a diff env.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I haven't try this by myself, but as instructions said that I definitely follow up this.

Is your cluster so big that you cannot do it in one day or are there any other reason why you want to extend it to two day? Any how this is good to practice in test environment before do it in production.

r. Ismo

0 Karma

VasukiPramod
Explorer

Yes. We have a multi-site cluster with 20+ Indexers in each site. 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

There is instructions how you can do this update for multisite cluster one site at time. I suppose that you could do it event as a rolling upgrade (haven't try it myself, yet). https://docs.splunk.com/Documentation/Splunk/8.0.6/Indexer/Searchablerollingupgrade

I don't believe that there are any big issues if your update time schedule is not too long. Try to keep it as short as possible, even it takes couple of days. 

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...