product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
Procedure to stop and start all Splunk services in a cluster environment
- release date
- 2015-05-28
- last updated
- 2023-11-30
- version
- Splunk Enterprise 9.0.3
- Overview
- Order and execution commands to stop/start all Splunk services in a cluster environment
- Reference information
-
- https://docs.splunk.com/Documentation/Splunk/9.0.3/Indexer/Upgradeacluster
- https://docs.splunk.com/Documentation/Splunk/9.0.3/DistSearch/UpgradeaSHC
- https://docs.splunk.com/Documentation/Splunk/9.0.3/Indexer/Usemaintenancemode
- https://docs.splunk.com/Documentation/Splunk/9.0.3/Indexer/Takeapeeroffline
- content
-
Order of stopping/starting Splunk services in a clustered environment
When stopping/starting the Splunk server for the purpose of periodic power outages or server maintenance, not for version upgrades, etc., stop/start the Splunk services in the following order.
[Stop]
① Stop forwarder
②Search head stop
(3) Stop the deployment server
④Stop deployer
(5) Indexer stop
(6) Stop the cluster master
⑦ Suspension of license master[Start-up]
① Start license master
(2) Start the cluster master
(3) Start indexer
④ Start search head
⑤ Start forwarder
(6) Start the deployment server
⑦ Launch deployerSpecifically, if you want to stop and start all Splunk services, please follow the steps below. Please replace $SPLUNK_HOME in the following steps with the Splunk installation directory.
*For default installation
<Linux>
$SPLUNK_HOME : /opt/splunk<Windows>
$SPLUNK_HOME : C:\Program Files\splunk▼Full stop
- Forwarder's Splunk service stop
$SPLUNK_HOME/bin/splunk stop- Search head Splunk service stop
$SPLUNK_HOME/bin/splunk stop- Stop the Splunk service on the deployment server
$SPLUNK_HOME/bin/splunk stop- Stop the Splunk service on the deployer
$SPLUNK_HOME/bin/splunk stop- Switching to maintenance mode (performed on the cluster master)
$SPLUNK_HOME/bin/splunk enable maintenance-mode --answer-yes -auth admin:<password>By switching to maintenance mode, you can prevent unnecessary replication processing without judging that the indexer is down when it is stopped. For more information on maintenance mode, please refer to the document below.
http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/Usemaintenancemode
- By switching to maintenance mode, you can prevent unnecessary replication processing without judging that the indexer is down when it is stopped. For more information on maintenance mode, please refer to the document below.
https://docs.splunk.com/Documentation/Splunk/9.1.2/Indexer/Usemaintenancemode
- Confirm that it has been switched to maintenance mode (performed on the cluster master)
$SPLUNK_HOME/bin/splunk show maintenance-mode -auth admin:<password>* When switching to maintenance mode, the output is as follows.
Maintenance mode is : 1- Adjust timeout value (performed on cluster master)
$SPLUNK_HOME/bin/splunk edit cluster-config
-restart_timeout <秒数> -auth admin:<password>*Please specify the time it takes to stop the Splunk service for all indexers.
*If it's not too short, a rough time is fine.
*If you set it short, there is a possibility that unnecessary bucket copies will occur and it may take time to start up.
*This timeout value is effective only when stopping with the offline command, so there is no particular need to restore it.
- Stop the Splunk service on the indexer
$SPLUNK_HOME/bin/splunk offline- Stop Splunk service on cluster master
$SPLUNK_HOME/bin/splunk stop- Stop Splunk service on license master
$SPLUNK_HOME/bin/splunk stop▼ Full start
- Start the Splunk service on the license master
$SPLUNK_HOME/bin/splunk start- Start Splunk service on cluster master
$SPLUNK_HOME/bin/splunk start- Switching to maintenance mode (performed on the cluster master)
$SPLUNK_HOME/bin/splunk enable maintenance-mode --answer-yes -auth admin:<password>*In Splunk 6.5.x and earlier versions, maintenance mode is disabled after restarting, so it is necessary to switch to maintenance mode again.
- Confirm that it has been switched to maintenance mode (performed on the cluster master)
$SPLUNK_HOME/bin/splunk show maintenance-mode -auth admin:<password>* When switching to maintenance mode, the output is as follows.
Maintenance mode is : 1- Start indexer Splunk service
$SPLUNK_HOME/bin/splunk start- Disable maintenance mode (done on cluster master)
$SPLUNK_HOME/bin/splunk disable maintenance-mode -auth admin:<password>- Make sure maintenance mode is disabled (done on cluster master)
$SPLUNK_HOME/bin/splunk show maintenance-mode -auth admin:<password>*When the maintenance mode is disabled, the output is as follows.
Maintenance mode is : 0- Start Splunk service for search head
$SPLUNK_HOME/bin/splunk start- Start Splunk service on forwarder
$SPLUNK_HOME/bin/splunk start- Start the Splunk service on the deployment server
$SPLUNK_HOME/bin/splunk start- Start the deployer's Splunk service
$SPLUNK_HOME/bin/splunk startthat's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30
