Solved: What is the compatibility of versions when using d...

Simeon · ‎09-01-2010

I have multiple indexers on various versions of Splunk and want to know if I can intermix the versions. Is there a compatibility matrix for distributed searching?

Simeon · ‎09-01-2010

Distributed searching between Splunk instances on different major releases is not supported. For example, the following combinations will not work:

Splunk 3.4 >> Splunk 4.1
Splunk 3.4 >> Splunk 4.0
Splunk 4.0 >> Splunk 4.1
Splunk 4.0 >> Splunk 3.4

However, you can perform basic search functionality from a Splunk 4.1.x search head to a Splunk 4.0.x search peer. Real-time searches will not work in this configuration. Additionally, this is not a recommended or supported architecture.

View solution in original post

Simeon · ‎09-01-2010

Distributed searching between Splunk instances on different major releases is not supported. For example, the following combinations will not work:

Splunk 3.4 >> Splunk 4.1
Splunk 3.4 >> Splunk 4.0
Splunk 4.0 >> Splunk 4.1
Splunk 4.0 >> Splunk 3.4

However, you can perform basic search functionality from a Splunk 4.1.x search head to a Splunk 4.0.x search peer. Real-time searches will not work in this configuration. Additionally, this is not a recommended or supported architecture.

Simeon · ‎01-23-2012

Splunk 4.3 >> 4.2 with limited functionality

Simeon · ‎05-17-2011

I believe 4.1.x and 4.2.x can search peer between eachother, with limited functionality.

Splunk 4.1 >> 4.2

Splunk 4.2 >> 4.1

What is the compatibility of versions when using distributed search?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?