Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does order matter when upgrading Search Heads and Indexers?

I_am_Jeff
Communicator
‎10-10-2012 11:45 AM

I have 2 pooled search heads and 6 indexers. Currently all are on version 4.2.3. I'd like to upgrade to 4.3.4. To make the transition more transparent to my users I'd like to upgrade the indexers, then schedule time to upgrade my search heads.

As I said, my search heads are pooled. The upgrade document discussed upgrading the search heads first in this environment. Upgrade a Distributed Environment with Multiple Indexers and Pooled Search Heads If my search heads were not pooled, then the same document recommends upgrading the indexers first.

I understand that pooled search heads have to be running the same version. Can I could upgrade my indexers first? Can older (4.2.3), pooled search heads work with newer (4.3.4) indexers? Am I missing something obvious?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

malmoore
Splunk Employee
Splunk Employee
‎10-10-2012 02:16 PM

Hi I am Jeff,

Unfortunately, the only supported upgrade path for a distributed Splunk environment with pooled search heads is to upgrade those search heads before you upgrade the indexers.

If you review "Cross-version compatibility", you'll see that 4.3.x search heads work with 4.2.x indexers, but with a performance and feature set penalty. We do not recommend running 4.2.x search heads against 4.3.x indexers because of the changes between 4.2 and 4.3.

It's a good idea to speak with someone in Splunk Support for additional guidance on your specific use case.

View solution in original post

Reply
Solved! Jump to solution
Solution

malmoore
Splunk Employee
Splunk Employee
‎10-10-2012 02:16 PM

Hi I am Jeff,

Unfortunately, the only supported upgrade path for a distributed Splunk environment with pooled search heads is to upgrade those search heads before you upgrade the indexers.

If you review "Cross-version compatibility", you'll see that 4.3.x search heads work with 4.2.x indexers, but with a performance and feature set penalty. We do not recommend running 4.2.x search heads against 4.3.x indexers because of the changes between 4.2 and 4.3.

It's a good idea to speak with someone in Splunk Support for additional guidance on your specific use case.

Reply
Solved! Jump to solution

I_am_Jeff
Communicator
‎10-10-2012 02:52 PM

Darn. I was hoping it was just the way the document was written. My indexers probably could handle a 30% CPU hit as they're underworked at present. Upgrading isn't that hard, but it appears pooling throws a monkey wrench into the process.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...