About rjk123

rjk123

I am preparing to upgrade a distributed and clustered Splunk Enterprise install from 7.3.3 to 8.1.2, but the install guides are not clear for the correct method. My current plan is to upgrade in the following order: Deployment Servers (primary and standby) Cluster Masters / License Masters (primary and standby) Search Head cluster 2-site Indexer cluster and afterward, all the HFs and UFs (many of each). Where I'm not clear is the SH/IDX process. SH: rolling or all at once? IDX: one site at a time, or all at once? I have found documentation that says we can do rolling upgrade of SH's, and can do IDX's one site at a time, but other documentation that implies I have to do all SH and IDX in one big hit (because 7.3.3 > 8.1.2 is more than a single version jump). My colleagues are in conflict which is correct. Any clues to the real answer here? Thanks for any help.

rjk123 · ‎08-27-2020

Don't worry, I think I found it. I can see other logs configured in inputs.conf with the same case, and these show up okay in splunk. Answer = NOT case sensitive.

rjk123 · ‎08-27-2020

I have an example where logs are not shown in splunk search, and I can see the index name in the inputs file has mixed case, but the actual index name is all lower case. Will this the cause the logs to not get ingested? I also note the sourcetype case is wrong too, so are any/all these fields case sensitive? actual index name: "target_index" [monitor:///file/path/logfile.log] index = Target_Index sourcetype = mBAS_log disabled = false Thanks for the help.

Posts	3
Solutions	1
Karma Given	1
Karma Received	0
Member Since	‎11-23-2019

Online Status	Offline
Date Last Visited	a month ago

upgrade steps for clustered environment 7.3.3 to 8...

is the index field in inputs.conf case sensitive?

upgrade steps for clustered environment 7.3.3 to 8...

Re: is the index field in inputs.conf case sensiti...

is the index field in inputs.conf case sensitive?