Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the forwarder to indexer compatibility matrix?

Simeon
Splunk Employee
Splunk Employee
‎04-19-2010 04:31 PM

I have a mixed environment of forwarders and indexers (3.4, 4.0, and 4.1) and I would like to know which versions are supported/compatible with each other. For example, can I run a 3.x forwarder with 4.1 indexer? On the flip side, can I run a 4.1 forwarder with a 4.0 indexer?

Reply
1 Solution
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎04-19-2010 04:35 PM

Splunk indexers are backwards compatible with older versions of the forwarder. However, Splunk forwarders are not backwards compatible with older versions of the indexer. For example, the following environments are supported:

3.4 Splunk Forwarder >> 4.0 Splunk Indexer
4.0 Splunk Forwarder >> 4.1 Splunk Indexer
3.4 Splunk Forwarder >> 4.1 Splunk Indexer

View solution in original post

Reply
Solved! Jump to solution

sberg
Explorer
‎10-30-2012 08:36 AM

So, wait a sec... does a 4.3.3 uni forwarder >> 4.3.2 indexer work?

The 4.3.2 forwarder for windows has a serious bug and I'm trying to figure out if upgrading or downgrading is the best option for the 50+ forwarders I have in use.

The bug... http://splunk-base.splunk.com/answers/47535/wineventlog-on-windows-2008-and-splunk-432-forwarders-sp...

0 Karma
Reply
Solved! Jump to solution

sberg
Explorer
‎10-30-2012 11:09 AM

To answer my own question. Yes.

Installed 4.3.4 universal forwarder (x64 variety on WinServer2008) and all is well reporting to 4.3.2 indexer.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-23-2011 09:17 PM

Forwarders can always send to newer versions of indexers, as indicated in Simeon's answer. In addition, all 4.0, 4.1, and 4.2 forwarders can send to any indexer with version 3.4.14 or higher. Thus, any 4.x forwarder can talk to any 4.x indexer (as well as 3.4.14 indexers).

See: http://www.splunk.com/base/Documentation/5.0/Deploy/Enableareceiver#Compatibility_between_forwarders...

Reply
Solved! Jump to solution

alexander_lucas
Explorer
‎01-10-2012 06:55 PM

what is the updated case for 4.3?

0 Karma
Reply
Solved! Jump to solution

kmjefferson42
Explorer
‎03-20-2018 01:52 PM

Can the latest version of the Universal Forwarder send to older version of Splunk Indexer? Specifically v5.6??
I would not think there would be a problem but need to verify.

Thank you,

0 Karma
Reply
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎04-19-2010 04:35 PM

Splunk indexers are backwards compatible with older versions of the forwarder. However, Splunk forwarders are not backwards compatible with older versions of the indexer. For example, the following environments are supported:

3.4 Splunk Forwarder >> 4.0 Splunk Indexer
4.0 Splunk Forwarder >> 4.1 Splunk Indexer
3.4 Splunk Forwarder >> 4.1 Splunk Indexer
Reply
Solved! Jump to solution

bwooden
Splunk Employee
Splunk Employee
‎10-21-2013 07:54 AM

6.0 update from http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Compatibilitybetweenforwardersandindexers

  • 6.0 forwarders (universal/light/heavy) are backwards compatible down to 4.2+ indexers. For example, a 6.0 forwarder can send data to a 4.2 indexer but not to a 4.1 indexer.
  • 6.0 indexers are backwards compatible with forwarders down to 4.x.

The following 6.0 features are available only if both indexers and forwarders are at version 6.0 or higher:
* Dynamic file headers
* Timezone extraction on the forwarder

0 Karma
Reply
Solved! Jump to solution

Jon_Webster
Splunk Employee
Splunk Employee
‎01-08-2013 10:00 PM

To be clear and make it easy, text below is from gkanapahty's link above:

4.2+/5.0+ forwarders (universal/light/heavy) are backwards compatible down to 4.2+ indexers. For example, a 4.3 forwarder can send data to a 4.2 indexer but not to a 4.1 indexer. 

Pre-4.2 forwarders are backwards compatible down to 4.0 indexers. 

All indexers are backwards compatible with any forwarder and can receive data from any earlier version forwarder. For example, a 4.2 indexer can receive data from a 4.1 forwarder.
0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-23-2011 09:14 PM

This information is no longer valid. The compatibility matrix has been expanded. See http://www.splunk.com/base/Documentation/5.0/Deploy/Enableareceiver#Compatibility_between_forwarders...

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...