This is a scenario that I came across recently, Could anyone provide me an answer.
Scenario: You are upgrading Splunk Core, ES and ITSI in a hybrid environment. The on-prem portion is mostly focused towards ingestion (HFs, deployment, intermediaries) while the core Splunk application based on AWS. On-Prem and AWS use different technology stacks.
1) What is your approach to upgrading CORE, ES and ITSI with minimal interruption to customer experience?
2) What order would you upgrade Core, ES and ITSI? Also, What order would you upgrade Splunk Components (UFs, HFs, deployment, deployers, indexers, cm, lm, mc, etc..?
It depends on your topology. You can find information on below documentation;
As @scelikok said, upgrading those ES, ITSI depends on how you have implemented those. It's best to read installation instructions for those and if needed ask help from splunk support. General instructions is, first core then apps. And you must check version dependencies before start!
Here is update order of Splunk core components: https://community.splunk.com/t5/Installation/What-s-the-order-of-operations-for-upgrading-Splunk-Ent...
UF and HF part should update after core has updated as those versions cannot be higher than CORE has.