Installation

Why is splunkd not running after downgrading from 8.3.3 to 8.1.6?

tokio13
Path Finder

Hello,

I'm encountering the following issue on one of my indexers (from a total of 3) after downgrading from 8.3.3 to 8.1.6. All my other components (3SH,CM,MC,Deployer, Indexer2 and 3 are working fine after downgrading.)

I tried pretty much everything to kill the process, restart splunk, restart the instance on the cloud, nothing seems to help.

splunkd is not running.

Labels (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Splunk is not supporting downgrade after update very well 😞 For that reason the instructions are do a backup and restore it as a downgrade, but then you of course lost some events.

What this instance has written to it's splunkd.log on filesystem? There should be reason why it didn't start.

As you have an indexer cluster and if/when your SF+RF >=2 then maybe the easiest way is just remove that instance from cluster and reinstall it with 8.1.6 and then rejoin it back? Of course it needs that your CM said that you still have all data searchable.

r. Ismo

View solution in original post

tokio13
Path Finder

What worked was, removing it and installing 8.1.6 all over again as you recommended. 

Thanks!

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Great, if needed there are some discussion about rebalance events https://community.splunk.com/t5/Installation/New-indexer-sync-is-very-slow/m-p/538596

 

SanjayReddy
Builder

Hi @tokio13 

what  error message are  you seeing while starting the splunkd  and Splunkd.log of Indexer?.

any dubplicate bukctet confilit in Splunkd.log issues ? 

any lock file present under /var/run/splunk/

was there any permission issue for directrory ? 

if you clould share the error logs , that can help to troubleshoot furthur 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Splunk is not supporting downgrade after update very well 😞 For that reason the instructions are do a backup and restore it as a downgrade, but then you of course lost some events.

What this instance has written to it's splunkd.log on filesystem? There should be reason why it didn't start.

As you have an indexer cluster and if/when your SF+RF >=2 then maybe the easiest way is just remove that instance from cluster and reinstall it with 8.1.6 and then rejoin it back? Of course it needs that your CM said that you still have all data searchable.

r. Ismo

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...