In order to upgrade Splunk from 8.1.3 to 9.0.4, I need to migrate/upgrade the KVstore engine from MMAPv1 to WiredTiger and then upgrade the KVstore (mongoDB) version to 4.2.
I believe that I only need to upgrade the KVstore on instances with active KVstore collections. And I should stop scheduled searches writing to collections or wait until they are finished before running the migration.
By default the KVstore is enabled on all instances which is a bit confusing, BUT the monitoring console (MC) KVstore dashboard gives me some indication that only the instances with active kvstore collections are the SHC and some HFs... but not my MC/license master or the Deployment Server or the Index Cluster master.
Splunk docs mention that you can disable kvstore and ignore certain collections.
My question is how to verify and identify the active collections on my instances?
Where is the kvstore files location? (apparently the directory seems to be /opt/splunk/var/lib/splunk/kvstore/mongo) but the files are not human-readable clear...
Is there a query to see the individual KVstore collection file sizes with human-readable names?
This gives me I think most of them... not sure
| rest /servicesNS/-/-/data/transforms/lookups splunk_server=local
| table eai:acl.app title collection
| search collection!=""Any advice appreciated.
Thank you
Thanks for the clarification (and persevering thru my questions). I really do appreciate it!
My concerns, re: IDXCluster and KVstore, are due to all the non-sensical configurations the previous admins left for me....
It would not surprise me to see something unusual here, as I have seen some really goofy stuff. For instance , I am concerned they did some sort of remote kvstore replication/sync to the indexer peers etc... maybe that doesn't matter, not 100% about that.
Would you advise that I "disable" the KVstore on the indexers? for safety? per Splunk docs>>> https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/AboutKVstore
RE: "upgrade only Search Heads and Heavy Forwarders" , I see collections (probably default) on my MC/LM instance and Deployment Server instance as well. So I am thinking upgrade those as well? IDK.
when I run this on my MC/LM instance >>>
| rest splunk_server="local" "/services/search/distributed/peers/"
| search disabled=0
| rename peerName AS splunk_server
| fields host splunk_server
| join type=left splunk_server
[| rest splunk_server="*" "/services/kvstore/status"
| table splunk_server current.status current.replicationStatus current.storageEngine ]
| sort - current.storageEngine
I see every instance (including indexers) has a default enabled kvstore in "ready"...
So now, knowing this information, does that change your advice?
RE: support, IDK, I do feel support should be able to answer these questions. I get support is "break/fix" but do I really have to break it first to get help or a couple definitive answers?
I am sure Support will kick it to our Sales Rep and they will say we need to engage PS for 2 week$ 🤣...
Thank you!
