just for a background. We use an existing Splunk setup since a couple of years. The old Splunk single host (indexer, search head, deployment server, etc) is version 6.2.0. We also have a lot of Windows servers with installed Universal Forwarders (Version 6.2.0).
Now we setup a new environment as a Splunk indexer cluster with a dedicated Search Head / Deployment Server. The basic system is up and running and the forwarders (6.2.0 / 7.0.0) are sending their events to the cluster. But the forwarders are not listed on the Forwarder Management Webpage.
Do we have to upgrade the old Forwarders to get the communication working between 6.2.0 forwarder and 7.0.0 Deployment server?
The deploymentclient.conf on the old forwarder (6.2.0) was updated to the new deployment server and the service (splunkd) was restarted after the configuration change.
In the documentation I couldn't find any information that it isn't supported to use older versions of forwarders with a newer/later version of Deployment Server.
If somebody have had the same problem and was able to fix it, any information are welcome.
at first, it isn't a best practice to have Deployment Server and Search Head on the same server: if you have more than 50 Forwarders to manage you have to use a dedicated Deployment Server.
To have Forwarders 6.2.x isn't a problem (I have Forwarders 6.1.5 in one of my projects with no problems).
But, you're sure that all the forwarders address the new Deployment Server? maybe some of them still have as Deployment Server the old one!
thanks for you answer.
You are absolutly right. It is not recommended to use Search Head and Deployment Server on the same server. But for my test it should be okay.
Unfortunately I cannot see any 6.2.0 forwarders under the deployment server (forwarder management). I only see there the forwarders which has installed the 7.0.0 version.
On the old (6.2.0) forwarders I found such messages into the splunkd.log
"INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected"
I don't know why it tells me "not_connected".
Only a quick answer: have you still active the old Splunk server? do you continue to see on it the old Forwarders?
At first, check if your 6.2.0 forwarders have the correct deploymentclient.conf and if they can reach the new Deployment Server on 8089 port.
Then try to upgrade one of them and verify if you see the new one on the new Deployment Server.
For my experience version isn't a problem!
On the old DS I see the entries from the 6.2.0 Forwarders, but the "Phone Home" field is "4 days ago". Thats the time when I changed the deployment server configuration in the deploymentclient.conf on the Forwarders.
But I will try to upgrade now one of the 6.2.0 Forwarders to the 7.0.0 version and will see what happens then.
I did an upgrade from 6.2.0 to 7.0.0 on one of the Forwarders who wont communicate with the DS. Since the version was changed the Forwarder communicates with the DS and I'm able to deploy an custom app.
So it looks like the communication between 6.2.0 Forwarders and 7.0.0 DS is not possible/supported.