Getting Data In

Upgrading Universal Forwarder from 5.0.2 to 6.5.4


Hello Splunk Experts,

Recently, I've been tasked to upgrade a distributed Splunk environment with the condition as follows:

  • Search Head & Indexer version: 6.1.3
  • Universal Forwarder version: 5.0.2

There are 2 things in which I need confirmation of:

  1. Is it possible to perform upgrade directly from 5.0.2 to 6.5.4 for UF?
  2. Could I upgrade UF first before upgrading SH and then IDX?

Thank you and please advise.

0 Karma

Ultra Champion

hello there,
question 1
per this doc:
which leads you to this doc:
upgrading from version 5.0 to 6.x is not supported.
it also says to upgrade to 6.3 first and then move on to desired version.
question 2
upgrade the Search Head first then the indexer and lastly the forwarders
hope it helps


Hello adonio,

Thank you for the documentation. I read the doc and I found another link about upgrading there:

That doc also mentions about upgrade path, but it seems that you can directly upgrade UF from 5.x to 6.x (in my case to 6.5.4). Now I'm confused on what to follow. Is it possible that upgrading to 6.3 first only mandatory for Splunk Enterprise?

0 Karma

Ultra Champion

i guess you can go either way as its not supported.
better try to go to 6.3 first

0 Karma


All right. Thank you for your insight.
I guess I will try to request a development environment to test things out.

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...