I am preparing to upgrade a distributed and clustered Splunk Enterprise install from 7.3.3 to 8.1.2, but the install guides are not clear for the correct method. My current plan is to upgrade in the following order: Deployment Servers (primary and standby) Cluster Masters / License Masters (primary and standby) Search Head cluster 2-site Indexer cluster and afterward, all the HFs and UFs (many of each). Where I'm not clear is the SH/IDX process. SH: rolling or all at once? IDX: one site at a time, or all at once? I have found documentation that says we can do rolling upgrade of SH's, and can do IDX's one site at a time, but other documentation that implies I have to do all SH and IDX in one big hit (because 7.3.3 > 8.1.2 is more than a single version jump). My colleagues are in conflict which is correct. Any clues to the real answer here? Thanks for any help.
... View more
I have an example where logs are not shown in splunk search, and I can see the index name in the inputs file has mixed case, but the actual index name is all lower case. Will this the cause the logs to not get ingested? I also note the sourcetype case is wrong too, so are any/all these fields case sensitive? actual index name: "target_index" [monitor:///file/path/logfile.log] index = Target_Index sourcetype = mBAS_log disabled = false Thanks for the help.
... View more