I am currently planning on upgrading our Splunk Enterprise to version 6.5.2. I know I need to upgrade the Search Heads prior to the Indexers but I'm not sure what order everything else belongs in and am looking for a recommendation.
We have 18 indexers, running version 6.4.1.
We have 8 search heads in a cluster, running version 6.4.1.
We have a deployer (Cluster Master), running version 6.4.1.
We have a deployment server, running version 6.3.1.
We have 4 heavy forwarders that we use as syslog-ng and snmptrapd servers, running versions 6.3.1
We have several standalone search heads, not in the cluster, that do our alerting and run Splunk DB Connect and/or the Splunk App for CEF, running in either 6.3.1 or 6.4.1.
We have a mixed bag of Universal Forwarders running 5.x and 6.x versions.
I've read that the deployment server needs to be shut off and upgraded and left off until the other upgrades are done. Is this true? I'm planning on bucketing the upgrades over the span of several days and don't want to leave the deployment server off for that duration.