I am planning to upgrade my Splunk Enterprise (currently 6.5.5) and Universal Forwarders (currently 6.3.3) to 7.3.0.
Is Splunk Enterprise 7.3.0 compatible with Universal Forwarder 6.3.3 and and vice versa?
Asking this because there might be a short period of time when some of my Splunk components are still using older version while some of them have already upgraded to the latest.
6.3.X can send to 7.3.x without any problems, both UF and HF. Just be aware of the cipher changes that are documented, even though they don't apply as long as your indexers are 7.x+.
I think this doc will tell you what you want to know : https://docs.splunk.com/Documentation/Forwarder/7.3.0/Forwarder/Compatibilitybetweenforwardersandind...
From what I read, it should be good for you, you just can't send metrics 🙂
Does this compatibility matrix also apply to Universal Forwarders and Heavy Forwarders? Since I'm currently using HF as the deployment server communicating with UFs. Thanks!
I'm not 100% sure, but for me, your Heavy Forwarder should be consider more like an indexer than a forwarder, you should upgrade it in the same time that you upgrade your Splunk Enterprise to avoid any problems.