Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

What is the best sequence for a Splunk distributed deployment shutdown?

Gursimar_singh
Engager
‎01-11-2023 12:20 AM

We have a distributed deployment consisting of  2 Search heads, 1 indexer, Deployment server, 2 Heavy Forwarders, Universal Forwarders and a Syslog server. We need to shut it down and then boot it back up. What is the best sequence to shutdown and boot up the environment gracefully? 

Also anything to keep in mind while doing so to avoid errors. 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-11-2023 02:50 AM

You can shut down the servers in virtually any order. Just be aware that the functionality of the downed component will not be available. But since you want to shut the whole environment down, you probably don't mind that.

Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-11-2023 08:28 AM

Hi

It's just like @PickleRick said. One comment to that. When you have shutdown indexer you cannot ingest any new events. For that reason I prefer to start from out circle like UFs then HFs, then other splunk infra nodes and indexer as a last one. Then you will have as much events on it as possible (e.g. for further debug purpose). And when you will start the whole environment I use the reverse order for the same reason.

If you just want to restart then any order is a good order.

BUT if you are doing "live update" (cannot do it really as you have only one indexer), you must follow up the correct order. You can found it from here or from Splunk Lantern.

r. Ismo

Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-11-2023 10:55 AM

True. On the other hand, if you have some "transient" sources, like syslog, the longer your forwarders are down, the more events you can't receive and queue so it's up to the particular architecture. Technically nothing should "break" just because you shut down indexers before search-head or vice-versa.

Anyway, if the downtime is planned for splunk upgrade, it can be performed one node at a time, not necessarily needing to shut down the whole setup.  (of course the proper order should be maintained).

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...