Splunk Enterprise

Multiple Splunk Versions on single server

PramodhKumar
Explorer

Hi Splunkers,

We have planned to upgrade our Splunk cluster to 8.0.3, we thought to install new version on another directory and preparing things there and stop the old splunk and start the new one, would this be a good idea? if yes how to do this..

any help is much appreciated.

Thanks,
Pramodh

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @PramodhKumar,
in my mind this isn't a good idea!
the best thing is to plan your upgrade:

  • identify your upgrade path (for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.3/Installation/HowtoupgradeSplunk ):
    • directly, if you have Splunk higher than 7.0,
    • passing through another version, if you have Splunk lower than 7.0;
  • Plan you upgrade:
    • Master Node,
    • Search Heads (eventually Deployer),
    • Indexers,
    • Heavy Forwarders,
  • check the readiness of your Apps (Python 2.7 is going out), use the Splunk Platform Upgrade Readiness App ( https://splunkbase.splunk.com/app/4698/ );
  • when you're ready, execute your Upgrade, eventually (if you have Splunk higher than 7.1.x) using Rolling Update to limit the downtime.

You can find more infos at https://docs.splunk.com/Documentation/Splunk/8.0.3/Installation/UpgradeyourdistributedSplunkEnterpri...

Ciao.
Giuseppe

View solution in original post

PramodhKumar
Explorer

Read Comments for the answer, I'm accepting it.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @PramodhKumar,
in my mind this isn't a good idea!
the best thing is to plan your upgrade:

  • identify your upgrade path (for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.3/Installation/HowtoupgradeSplunk ):
    • directly, if you have Splunk higher than 7.0,
    • passing through another version, if you have Splunk lower than 7.0;
  • Plan you upgrade:
    • Master Node,
    • Search Heads (eventually Deployer),
    • Indexers,
    • Heavy Forwarders,
  • check the readiness of your Apps (Python 2.7 is going out), use the Splunk Platform Upgrade Readiness App ( https://splunkbase.splunk.com/app/4698/ );
  • when you're ready, execute your Upgrade, eventually (if you have Splunk higher than 7.1.x) using Rolling Update to limit the downtime.

You can find more infos at https://docs.splunk.com/Documentation/Splunk/8.0.3/Installation/UpgradeyourdistributedSplunkEnterpri...

Ciao.
Giuseppe

PramodhKumar
Explorer

Thank you so much @gcusello

Would you please let me know what was the bad you identified with my approach so that i can justify myself.

Namaskara,
Pramodh

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @PramodhKumar,
at first surely your resources aren't sufficient to run two instances of Splunk in each system.
So, if your want to test your application it's better to use lab systems and not another instance on the same systems.
For this scope, remember to use the Splunk Platform Upgrade Readiness App that was done by Splunk just for this.

Then if you install another instance of Splunk in each server, you have to configure different ports for each one and modify your Universal Forwarders to send logs to both the instances with double consuption of license.
If instead you configure your UFs to send logs only to the new one you don't need a double instance.

I hope to be clear enough to convince you of the approach to follow.
In my experience, I have never seen or heard suggest the use of multiple instances on the same infrastructure, unless it is a laboratory to save machines.

Ciao.
Giuseppe

PramodhKumar
Explorer

Hi @gcusello Thank you for detailing but we are not interested to keep two versions running at same time.
We will be running older version all the time meanwhile we prepare everything in newer version(to the one we need upgrade) then stop older version and start new and see changes else do the reverse of it? what do you suggest for this.

Thanks,
Pramodh

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @PramodhKumar,
this is my first hint and the best approach!
follow the instructions in the urls I linked in my first answer.
There's only one step to add to the above procedure I described: at the end, force the use of Python3 following the instructions at https://docs.splunk.com/Documentation/Splunk/8.0.3/Installation/Python3LowEffort .

Ciao and next time.
Giuseppe

0 Karma

PramodhKumar
Explorer

Hi @gcusello , Thanks for your help, i think i'm dragging somewhere, apologies if so.

We will go through your suggestions.

Another question for you, do we need to do anything with regards to Python as too may questions of Python Version Compatibility.
1. We are on python 2.6 (linux runtime version)
2. python 2.76 on Splunk 7.2.4
3. For Splunk 8.0.3, do we need to update any of the above one or splunk itself ships with latest python and needs our intervention to change any config to make it default.
4. What are the use cases we can consider to upgrade to Python3, I mean the scripts splunk ships with, scripts that our apps uses etc..

a kind help is really appreciated.

Thanks and Regards,
Pramodh

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @PramodhKumar,
you don't immediately need to upgrade to Python3 because Splunk 8 maintains compatibity with both Python2 and 3, but it's better to start to think also to this from now
(I did it for all my customers now in Splunk 8 upgrade).

The Splunk Platform Upgrade Readiness App helps you in this job giving a report about the readiness of your apps and the mandatory upgrades.

Ciao.
Giuseppe

0 Karma

PramodhKumar
Explorer

Thank you so much, i really appreciate your time and efforts in clarifying my doubts.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @PramodhKumar,
You're welcome, it ws a pleasure!
Ciao and next time!
Giuseppe

0 Karma

PramodhKumar
Explorer

Hi @gcusello,

another help please? Can you have a look into this question if you are free?

https://answers.splunk.com/answers/817927/forwarders-version-compatibility-with-indexer-vers.html

Also do i need to change python version settings in server.conf after upgrade as safer side?

Many Thanks,
Pramodh

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...