Installation

Is my Splunk 4.1 Indexer fully backwards compatable with older forwarders?

kbecker
Communicator

Is Splunk 4.1 (indexer & search) still compatible with 3.4.11 forwarders? Is so are there any features in 4.1 that would not function when using the 3.4.11 forwarders, such as Real-Time search or Live Dashboards?

  • Indexer - 4.09 (looking to upgrade to 4.1)
  • Search - 4.09 (looking to upgrade to 4.1)
  • Deployment - 3.4.11
  • Forwarder - 3.4.11 (lightweight)

Thanks

Tags (1)
2 Solutions

gkanapathy
Splunk Employee
Splunk Employee

Yes, Splunk 3.4 will forward fine to 4.1 and this is a supported configuration.

All indexer functionality and search functionality will work identically and the indexer is indifferent to the version of the forwarder, although I am not certain if 3.4.11 Light Forwarders can do autoLB (to distribute data across multiple indexer nodes). There may be some issues regarding proper detection of multi-byte character sets with older forwarder versions that may require different configurations on indexer, forwarder, or both.

3.4 clients are not compatible or manageable with 4.x Deployment Server.

View solution in original post

jrodman
Splunk Employee
Splunk Employee

The short version is 3.4.x forwarders should work just as well with 4.1.x as they did with 4.0.x. If you are upgrading indexers or other central service nodes (deployment server, search head, etc) from 3.x, please read http://www.splunk.com/base/Documentation/4.0.10/Installation/Whattoexpectwhenupgradingto4.0 and http://docs.splunk.com/Documentation/Splunk/4.1/Installation/Aboutupgradingto4.1READTHISFIRST

If you are upgrading your central nodes from 4.0.x to 4.1.x, there should be no changes in interoperation between forwarders and those central nodes.

Real-time search is implemented wholly on the indexing (and search head and UI) side. The forwarder is not involved.

View solution in original post

jrodman
Splunk Employee
Splunk Employee

The short version is 3.4.x forwarders should work just as well with 4.1.x as they did with 4.0.x. If you are upgrading indexers or other central service nodes (deployment server, search head, etc) from 3.x, please read http://www.splunk.com/base/Documentation/4.0.10/Installation/Whattoexpectwhenupgradingto4.0 and http://docs.splunk.com/Documentation/Splunk/4.1/Installation/Aboutupgradingto4.1READTHISFIRST

If you are upgrading your central nodes from 4.0.x to 4.1.x, there should be no changes in interoperation between forwarders and those central nodes.

Real-time search is implemented wholly on the indexing (and search head and UI) side. The forwarder is not involved.

gkanapathy
Splunk Employee
Splunk Employee

Yes, Splunk 3.4 will forward fine to 4.1 and this is a supported configuration.

All indexer functionality and search functionality will work identically and the indexer is indifferent to the version of the forwarder, although I am not certain if 3.4.11 Light Forwarders can do autoLB (to distribute data across multiple indexer nodes). There may be some issues regarding proper detection of multi-byte character sets with older forwarder versions that may require different configurations on indexer, forwarder, or both.

3.4 clients are not compatible or manageable with 4.x Deployment Server.

jrodman
Splunk Employee
Splunk Employee

AutoLB functionality was introduced in 4.0, so indeed 3.4.x will not have that functionality.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...