Splunk Enterprise / Universal Forwarder version co...

fxyfrank_acn · ‎07-30-2019

Hi There,

I am planning to upgrade my Splunk Enterprise (currently 6.5.5) and Universal Forwarders (currently 6.3.3) to 7.3.0.

Is Splunk Enterprise 7.3.0 compatible with Universal Forwarder 6.3.3 and and vice versa?

Asking this because there might be a short period of time when some of my Splunk components are still using older version while some of them have already upgraded to the latest.

Thank you!

esix_splunk · ‎07-31-2019

6.3.X can send to 7.3.x without any problems, both UF and HF. Just be aware of the cipher changes that are documented, even though they don't apply as long as your indexers are 7.x+.

KailA · ‎07-30-2019

Hi !

I think this doc will tell you what you want to know : https://docs.splunk.com/Documentation/Forwarder/7.3.0/Forwarder/Compatibilitybetweenforwardersandind...

From what I read, it should be good for you, you just can't send metrics 🙂

fxyfrank_acn · ‎07-30-2019

Does this compatibility matrix also apply to Universal Forwarders and Heavy Forwarders? Since I'm currently using HF as the deployment server communicating with UFs. Thanks!

KailA · ‎07-31-2019

I'm not 100% sure, but for me, your Heavy Forwarder should be consider more like an indexer than a forwarder, you should upgrade it in the same time that you upgrade your Splunk Enterprise to avoid any problems.

Splunk Enterprise / Universal Forwarder version compatibility

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control