Deployment Architecture

How to upgrade Splunk search head running 6.0.3 version to 6.4 version?

Hemnaath
Motivator

Hi All, We are planning to upgrade Splunk search head which is currently running with the version 6.0.3 and ours is a distributed environment. Total number of search heads is four, out of which two are configured with 6.0.3 and other two with 6.2.1 (Enterprise Security and PCI). Shared search head pooling are used. All the search head/shared head pooling are configured in Linux (VM) Environment on premises.

So kindly let me know the exact steps/documents on how to upgrade the search head with shared search head pooling.

Note: We are going to upgrade only the search head initially then the rest of the components.

0 Karma

woodcock
Esteemed Legend

With CLI on each search head (assuming standard *NIX install):

cd /tmp
rm -f /tmp/*splunk*.tgz
# Your wget command here to get tarball

This is as much prep work as you can do (to limit downtime). With CLI on each search head, down all instances:

# Your backup or diag here; VERY IMPORTANT STEP!
sudo su - splunk
/opt/splunk/bin/splunk stop

Now all splunk instances are down; starting with the MOST important one through to the least important one, with CLI on each search head, upgrade and restart:

cd /opt
tar xvf /tmp/*splunk*.tgz
rm -f /tmp/*splunk*.tgz
/opt/splunk/bin/splunk/start
0 Karma

Hemnaath
Motivator

thanks woodcock for providing the steps. But as I said currently we are planning to upgrade only two search head from Splunk version 6.0.3 to 6.2.1, as other splunk instance are already running Splunk with same Splunk 6.2.1version.

Infrastructure Details :
Search head 01 / 02
Splunk 6.0.3 (build 204106)
Linux – Red Hat Enterprise Linux Server release 6.7 (Santiago)
Virtual machine
2.6.32-573.22.1.el6.x86_64
HTTPS Port no: 8443

Splunk shared pooling server:
Linux – Red Hat Enterprise Linux Server release 6.7 (Santiago)
Virtual machine
2.6.32-573.22.1.el6.x86_64

Using splunk as sudo root user

Steps to upgrade –
Search head 01
1) Initial steps before doing the upgrade need to take the entire configuration step up backed up by executing ./splunk diag

2) Once the entire splunk folder is backed up, need to stop the splunk service by executing the below command
/opt/splunk/bin/splunk stop

3) Remove the entire splunk folder by executing the rm –rf command
rm –rf /opt/splunk

4) Download the splunk version Splunk 6.2.1 (build 245427) from this link
[https://www.splunk.com/eula/splunk/6.2.1?redirecturl=https%3A%2F%2Fwww.splunk.com%2Fpage%2Fdownload_...]

5) Install the tar file in under the /opt directory by executing the below command.
tar xvzf splunk-6.2.1-245427-Linux-x86_64.tgz -C /opt

6) Once installed then start the splunk service by executing the below command

/opt/splunk/bin/ splunk start --accept-license

7) Follow the same steps for another search head 02

Note:-
Should we need to do anything with the splunk shared pooling server/Deployment manager as both the search heads shares the apps/user specific details from this server? Since we are going to implement the steps directly to Prod environment, I need to make sure nothing goes wrong.

so kindly guide me whether these are steps should be followed to upgrade from 6.0.3 to 6.2.1 and also about splunk shared pooling server.
Thanks in Advance.

0 Karma

Hemnaath
Motivator

Hi All, Can any one guide me on upgrading Shared search head polling from 6.0.3 to 6.2.1 as all other Splunk components are already running with the 6.2.1 splunk instances, except the two search heads. Kindly let me know whether the above mentioned steps in comments can be followed to upgrade as I am going to do this directly on Prod Environment.

Important – We are not using the default root certificate for communication, so when we upgrade will to 6.2.1 version will it automatically fetch the necessary detail 0r we need to copy paste details from the backup.

Thanks in Advance.

0 Karma

Hemnaath
Motivator

Hi All, can any one guide me on how to upgrade the Shared search head polling from 6.0.3 to 6.2.1 and let me know whether we can follow the steps mentioned in the comments.

thanks in advance.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

For configuration instructions, begin with Overview of search head pooling and Create a search head pool in the Distributed Search manual.

Note that search head pooling has been deprecated as of Splunk Enterprise 6.2. I see you are only upgrading to 6.2.1, but this is still worth keeping in mind. Also, the latest maintenance release of 6.2 is 6.2.11, so there are a lot of bug fixes available even in the 6.2 line.

woodcock
Esteemed Legend

The document you need began life at version 6.3.0 but that is close enough to your situation that I would go with what the Upgrade a distributed environment with multiple indexers and pooled search heads section recommends:

http://docs.splunk.com/Documentation/Splunk/6.3.0/Installation/UpgradeyourdistributedSplunkEnterpris...

0 Karma

Hemnaath
Motivator

thanks Woodcock, But can I upgrade the search head from 6.0.3 to 6.2.1 first as we have all other component running with the version 6.2.1. Before upgrading the search head pooling in distributed environment, I would like to understand how to configure search head pooling in a distributed environment. Is it possible to provide a step by step on configuring the shared search head pooling.

thanks in advance.

0 Karma

woodcock
Esteemed Legend

Technically, all members of the pool MUST be on the same version so you are already in a totally unsupported configuration. The right way to do it is to down all of your search heads (total outage) and then upgrade each one, starting with the most critical one. This is the only way to remain in the mandated "all members of the pool must be on the same version" requirement, including during the upgrades.

0 Karma

Hemnaath
Motivator

thanks Woodcock, Could you please provide me a step by step approach on configuring the shared search head pooling. thanks in advance.

0 Karma

woodcock
Esteemed Legend

See new answer.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...