Thanks Wood for you quick response,
Please correct me in below steps if I missed any
Step 1 --> Perform patching on the Cluster Manager
a. Run splunk stop to stop the SPLUNK process
b. Perform the update and restart
c. Post reboot the Cluster Manager will be back online
Step 2 --> Perform patching on the Search Head
a. Run splunk stop to stop the SPLUNK process
b. Perform the update and restart
c. Post reboot the Search head will be back online
Step 3 --> Perform patching on the Indexer peers
a. Run splunk enable maintenance-mode on the CM
b. Run splunk stop on Indexer 1
c. Perform the update and restart
d. Post reboot Indexer 1 will be back online
e. Run splunk stop on Indexer 2
f. Perform the update and restart
g. Post reboot Indexer 2 will be back online
h. Run splunk disable maintenance-mode on the CM
i. Confirm with splunk show maintenance-mode on the CM
How about forwarders, do I need to stop it ?
while cluster master in maintenance-mode, will it ingest logs from other source in indexers
Is any data loss (search head logs /forwarders logs) in indexers while it in maintenance mode ?
... View more