Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Require suggestion on UF upgradation and Requi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have abunch of Splunk universal forwarder which runs on the version 6.6.3 - Linux machines. Im looking forward to upgrade them to 8.0.x .
Am i good enough todo the straight upgrade from 6.6.3 to 8.0.x?
and my splunk Enterprises are in the version of 8.2.7 . As i next plane, we will also be updating the splunk enterprises to 9.x.x series. if i go ahead, and update Splunk enterprise to version 9.0 , i hope UF with 6.6.3 is not compatible with 9.0 as per the official doc.
QA:
1.I can do straight upgrade from 6.6.3 to 8.0.x?
2.how do i get the older version UF packages , required tgz,rpm and msi .
Request suggestions and guidance pls.
#universalforwarder6.6.3 #universalforwarder8.0.x #Linux #upgradation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AsmaF2025
I dont have the specific of each migration as I havent done an upgrade to 7.x for a number of years now, however the docs really want you to upgrade to 7.x before upgrading to 8.x - "Do not try to upgrade Splunk Enterprise or Splunk universal forwarders directly to version 8.0 from a version that is lower than 7.0"
You can upgrade from 6.6.x to > 7.1.x but < 8.0.x so really the logical option for me would actually be 7.3.9. The docs for 7.3.9 state "Upgrades to Splunk Enterprise and Universal Forwarders version 7.3 require the existing installation to be version 6.6.x or higher "
The other reason I would go for 7.3.9 is because if you wanted, you could actually upgrade to 8.2.x to match the rest of your existing deployment, the docs state "Upgrading a universal forwarder directly to version 8.2 is supported from versions 7.3.x, 8.0.x, and 8.1.x "
If its useful, the download links for 8.2.12 are:
https://download.splunk.com/products/universalforwarder/releases/8.2.12/linux/splunkforwarder-8.2.12-e973afd6886e-Linux-x86_64.tgz
https://download.splunk.com/products/universalforwarder/releases/8.2.12/linux/splunkforwarder-8.2.12-e973afd6886e-linux-2.6-amd64.deb
https://download.splunk.com/products/universalforwarder/releases/8.2.12/linux/splunkforwarder-8.2.12-e973afd6886e-Linux-x86_64.tgz🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, assuming that you're managing your configs with a deployment server, it might prove easier and less error-prone to uninstall old UF version and simply deploy a fresh install of a new UF version and attach it to the DS.
But this might cause duplication of ingested data if the state files (mostly fishbucket but also state of eventlog inputs or wmi inputs) are not handled properly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are the download links which may also help:
8.0.10:
https://download.splunk.com/products/universalforwarder/releases/8.0.10/linux/splunkforwarder-8.0.10-9f06f1f5a2e9-Linux-x86_64.tgz
https://download.splunk.com/products/universalforwarder/releases/8.0.10/linux/splunkforwarder-8.0.10-9f06f1f5a2e9-linux-2.6-x86_64.rpm
https://download.splunk.com/products/universalforwarder/releases/8.0.10/linux/splunkforwarder-8.0.10-9f06f1f5a2e9-linux-2.6-amd64.deb7.3.9:
https://download.splunk.com/products/universalforwarder/releases/7.3.9/linux/splunkforwarder-7.3.9-39a78bf1bc5b-linux-2.6-x86_64.rpm
https://download.splunk.com/products/universalforwarder/releases/7.3.9/linux/splunkforwarder-7.3.9-39a78bf1bc5b-linux-2.6-amd64.deb
https://download.splunk.com/products/universalforwarder/releases/7.3.9/linux/splunkforwarder-7.3.9-39a78bf1bc5b-Linux-x86_64.tgz🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@livehybrid
Thanks for your help on this regard,
Based on reviewing your response - i should be good to update my splunk universal forwarder from version 6.6.3 to splunk universal forwarder version 7.3.9 and then to version 8.0.10.
But the suggested approach is :
| 6.6.x | 7.1.x | 8.0 |
why to stick to 7.3.9 ?
can u also guide me how to get older version release downloadable links ?
And with respect to fishbucket and migration changes, i don't see anything captured on the doc , even at the issues session. Could you please give a glimpse on the same .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AsmaF2025
I dont have the specific of each migration as I havent done an upgrade to 7.x for a number of years now, however the docs really want you to upgrade to 7.x before upgrading to 8.x - "Do not try to upgrade Splunk Enterprise or Splunk universal forwarders directly to version 8.0 from a version that is lower than 7.0"
You can upgrade from 6.6.x to > 7.1.x but < 8.0.x so really the logical option for me would actually be 7.3.9. The docs for 7.3.9 state "Upgrades to Splunk Enterprise and Universal Forwarders version 7.3 require the existing installation to be version 6.6.x or higher "
The other reason I would go for 7.3.9 is because if you wanted, you could actually upgrade to 8.2.x to match the rest of your existing deployment, the docs state "Upgrading a universal forwarder directly to version 8.2 is supported from versions 7.3.x, 8.0.x, and 8.1.x "
If its useful, the download links for 8.2.12 are:
https://download.splunk.com/products/universalforwarder/releases/8.2.12/linux/splunkforwarder-8.2.12-e973afd6886e-Linux-x86_64.tgz
https://download.splunk.com/products/universalforwarder/releases/8.2.12/linux/splunkforwarder-8.2.12-e973afd6886e-linux-2.6-amd64.deb
https://download.splunk.com/products/universalforwarder/releases/8.2.12/linux/splunkforwarder-8.2.12-e973afd6886e-Linux-x86_64.tgz🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@livehybrid / All,
Thanks for the time you took to reply.
My required is to update Splunk universal forwarder from 6.6.3 to splunk universal forwarder 8.0.x .
ANd my current version of Splunk ENterprise is 8.2.7 which ll be upgradated next to version 9.0.x.
Assuming , updating the Universal forwarder to 8.0.x will be compatible , for the splunk enterprise 9.x.x
QA:
1.I can do straight upgrade from 6.6.3 to 8.0.x?
2.how do i get the older version UF packages , required tgz,rpm and msi .
Request suggestions and guidance pls.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AsmaF2025
According to the documentation we must install 7.1.x before upgrading to 8.0.x - See https://docs.splunk.com/Documentation/Splunk/8.0.10/Installation/HowtoupgradeSplunk#:~:text=and%20re...
Personally I have achieved this upgrade directly previously however it has been discussed on here before that there are a bunch of different things such as fishbucket etc which get upgraded along the way and therefore you should follow the documented upgrade path.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@livehybrid
Thanks for the time you took to reply. My required is to update Splunk universal forwarder from 6.6.3 to splunk universal forwarder 8.0.x .Seems like , you are referring to Splunk Enterprise upgradation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AsmaF2025
Yes those documents are labelled Splunk Enterprise however the upgrade paths for UF and full enterprise install are the same due to shared components which require updating such as fishbucket and config migration etc.
There is a lot more in common between UF and full enterprise install than people often think. The main obvious difference is that Enterprise includes Python and Mongo DB.
Nevertheless the upgrade paths are the same.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing.
.conf25 Registration is OPEN!
Detecting Cross-Channel Fraud with Splunk
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
