Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Indexer Cluster and Cluster Master upgrade

santosh_hb
Explorer
‎06-06-2019 01:39 AM

Hi All,

Can we upgrade the Indexer Cluster and Cluster Master with no downtime?
As per our security regulatory requirements we cannot have downtime for Splunk upgrade.
We will be upgrading from 6.5.3to 7.1.6
If yes, can you share the procedure.

regards,
Santosh

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-06-2019 04:50 AM

It depends on your definition of downtime. The cluster master cannot be upgraded without being restarted. During the restart it is "down", but the indexer cluster will continue to function.
The cluster itself can also be upgraded one indexer at a time, but each indexer must be down for a short time. If your replication and search factors are at least 2 then the cluster will continue to index data and process searches.
The procedure for upgrading a cluster is documented at https://docs.splunk.com/Documentation/Splunk/7.3.0/Indexer/Upgradeacluster.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

DavidHourani
Super Champion
‎06-06-2019 04:42 AM

Hi @santosh_hb,

You have two ways of doing it, either by bringing everything down :
https://docs.splunk.com/Documentation/Splunk/7.2.6/Indexer/Upgradeacluster#Upgrade_all_tiers_at_once

Or by splitting the tiers and upgrading servers separately :
https://docs.splunk.com/Documentation/Splunk/7.2.6/Indexer/Upgradeacluster#Upgrade_each_tier_separat...

The second approach will give you the lowest down time BUT your indexers will have to be down during the upgrade. It is however possible to do a rolling upgrade as shown here if you are running splunk version 7.1 or later :
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Searchablerollingupgrade

Let me know if that helps.

Cheers,
David

0 Karma
Reply

harsmarvania57
Ultra Champion
‎06-06-2019 04:02 AM

Hi,

Can you please let us know whether it is single site cluster or multi-site cluster ?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...