Splunk® Enterprise

Distributed Search

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Upgrade a search head cluster

This topic describes how to upgrade a search head cluster. The process is the same for maintenance, minor, and major release upgrades.

Starting with version 6.5, you can perform a rolling upgrade. This allows the cluster to continue operating during the upgrade. To use the rolling upgrade process, you must be upgrading from version 6.4 or later.

Perform a rolling upgrade

When upgrading from version 6.4 or later, you can perform a rolling upgrade, as long as the search head cluster is not integrated with an indexer cluster.

If the search head cluster is part of an indexer cluster, you cannot perform a rolling upgrade. Instead, you must bring down all cluster members during the upgrade process, following the steps in Perform a non-rolling upgrade.

Caution: Before performing the upgrade, note the following requirements:

  • Mixed-version clusters are not supported during the ongoing functioning of the cluster. Therefore, you must move quickly through the rolling upgrade process, first upgrading one member and then immediately upgrading the next, and so on, until you finish upgrading all members.
  • Do not attempt any clustering maintenance operations, such as rolling restart, during upgrade.
  • At the end of the upgrade, all members must be running the same version of Splunk Enterprise (down to the maintenance level).
  • You can run search head cluster members against 5.x or 6.x search peers, so it is not necessary to upgrade the indexers at the same time. See Splunk Enterprise version compatibility.


  1. Upgrade one member and make it captain:
    1. Stop the member.
    2. Upgrade the member.
    3. Start the member and wait while it joins the cluster.
    4. Transfer captaincy to the upgraded member. See Transfer captaincy.
  2. For each additional member, one-by-one:
    1. Stop the member.
    2. Upgrade the member.
    3. Start the member.
  3. Upgrade the deployer:
    1. Stop the deployer.
    2. Upgrade the deployer.
    3. Start the deployer.

Perform a non-rolling upgrade

In a non-rolling upgrade, all cluster members are down for the duration of the upgrade process.

You must perform a non-rolling upgrade under these circumstances:

  • When upgrading from version 6.3 or earlier.
  • If the search head cluster is integrated with an indexer cluster.

Caution: Before performing the upgrade, note the following requirements:


  1. Stop all cluster members.
  2. Upgrade all members.
  3. Stop the deployer.
  4. Upgrade the deployer.
  5. Start the deployer.
  6. Start the members.
  7. Wait one to two minutes for captain election to complete. The cluster will then begin functioning.

Deployer initiates restart after post-6.2.6 upgrade

The deployer handles user configurations differently in versions higher than 6.2.6, compared to versions 6.2.6 and below. Because of this change, the first time that you use the deployer to distribute updates after upgrading your cluster to a version higher than 6.2.6, the deployer must initiate a rolling restart of all cluster members.

This restart takes place the first time, post-upgrade, that you run the splunk apply shcluster-bundle command. The restart only occurs if you had used the deployer to push user configurations in 6.2.6 or below.

This change in user configuration deployment means that such configurations no longer reside in default directories on the cluster members. This enables certain runtime operations on the configurations. Specifically, you can now delete or move the configurations or change their sharing levels. For more information on how the deployer handles user configurations post-6.2.6, see User configurations.

Changed behavior for user-based and role-based search quotas

The default behavior for handling user-based and role-based concurrent search quotas has changed with version 6.5.

In versions 6.3 and 6.4, the default is to enforce the quotas across the set of cluster members. Starting with 6.5, the default is to enforce the quotas on a member-by-member basis.

You can change quota enforcement behavior, if necessary. See Job scheduling.

Last modified on 19 April, 2017
Migrate from a search head pool to a search head cluster
Configure the search head cluster

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters