Solved: Is my Splunk 4.1 Indexer fully backwards compatab...

kbecker · ‎04-14-2010

Is Splunk 4.1 (indexer & search) still compatible with 3.4.11 forwarders? Is so are there any features in 4.1 that would not function when using the 3.4.11 forwarders, such as Real-Time search or Live Dashboards?

Indexer - 4.09 (looking to upgrade to 4.1)
Search - 4.09 (looking to upgrade to 4.1)
Deployment - 3.4.11
Forwarder - 3.4.11 (lightweight)

Thanks

gkanapathy · ‎04-14-2010

Yes, Splunk 3.4 will forward fine to 4.1 and this is a supported configuration.

All indexer functionality and search functionality will work identically and the indexer is indifferent to the version of the forwarder, although I am not certain if 3.4.11 Light Forwarders can do autoLB (to distribute data across multiple indexer nodes). There may be some issues regarding proper detection of multi-byte character sets with older forwarder versions that may require different configurations on indexer, forwarder, or both.

3.4 clients are not compatible or manageable with 4.x Deployment Server.

View solution in original post

jrodman · ‎04-14-2010

The short version is 3.4.x forwarders should work just as well with 4.1.x as they did with 4.0.x. If you are upgrading indexers or other central service nodes (deployment server, search head, etc) from 3.x, please read http://www.splunk.com/base/Documentation/4.0.10/Installation/Whattoexpectwhenupgradingto4.0 and http://docs.splunk.com/Documentation/Splunk/4.1/Installation/Aboutupgradingto4.1READTHISFIRST

If you are upgrading your central nodes from 4.0.x to 4.1.x, there should be no changes in interoperation between forwarders and those central nodes.

Real-time search is implemented wholly on the indexing (and search head and UI) side. The forwarder is not involved.

View solution in original post

jrodman · ‎04-14-2010

The short version is 3.4.x forwarders should work just as well with 4.1.x as they did with 4.0.x. If you are upgrading indexers or other central service nodes (deployment server, search head, etc) from 3.x, please read http://www.splunk.com/base/Documentation/4.0.10/Installation/Whattoexpectwhenupgradingto4.0 and http://docs.splunk.com/Documentation/Splunk/4.1/Installation/Aboutupgradingto4.1READTHISFIRST

If you are upgrading your central nodes from 4.0.x to 4.1.x, there should be no changes in interoperation between forwarders and those central nodes.

Real-time search is implemented wholly on the indexing (and search head and UI) side. The forwarder is not involved.

gkanapathy · ‎04-14-2010

Yes, Splunk 3.4 will forward fine to 4.1 and this is a supported configuration.

All indexer functionality and search functionality will work identically and the indexer is indifferent to the version of the forwarder, although I am not certain if 3.4.11 Light Forwarders can do autoLB (to distribute data across multiple indexer nodes). There may be some issues regarding proper detection of multi-byte character sets with older forwarder versions that may require different configurations on indexer, forwarder, or both.

3.4 clients are not compatible or manageable with 4.x Deployment Server.

jrodman · ‎04-14-2010

AutoLB functionality was introduced in 4.0, so indeed 3.4.x will not have that functionality.

Is my Splunk 4.1 Indexer fully backwards compatable with older forwarders?

Enterprise Security Content Update (ESCU) | New Releases

Index This | Divide 100 by half. What do you get?

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!