Powering down Indexers for maintenance

np_hwp · ‎08-25-2020

We have four indexers in a cluster, single site, with RF=3 and SF=2.

We will have a maintenance that will require two indexers power down (EC2 instances), and the maintenance will last about two hours.

What will be the proper way or sequence for taking those two indexer servers power down?

Should I do splunk offline on one indexer first, power down, wait for a while, and then proceed to other indexer?

or should I do splunk offline on both servers , and power down simultaneously?

thambisetty · ‎08-25-2020

splunk offline is not recommended for two hours long.
you can enable maintenance-mode on cluster master.

you can do below:

stop the Splunk Indexer
disable boot-start (if you need to do multiple restart during your maintenance, this will avoid starting of splunk service)
once you are done with activity you can start splunk and enable boot-start.

you can do same for other Indexer at the same time.

once you are done with activity on both servers. You can enable maintenance-mode on cluster master.

————————————
If this helps, give a like below.

richgalloway · ‎08-25-2020

It's better to do one at a time, if you can. Bring the first back up before taking the other one down.
If they both have to be down at the same time, then IMO it's better bring them both down at about the same time. That will keep the CM from moving primary buckets to the indexer that's next to go down.

---
If this reply helps you, Karma would be appreciated.

Powering down Indexers for maintenance

administration

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms