Installation

Splunk Search Head and Indexer compatibility- Can a 9.0.4 version Search Head talk to 8.2.4 indexer?

neeravmathur
Path Finder

Hi Guys,

We have a distributed environment with Search Heads/Indexers/Deployement server/License Master/Heavy Forwarder etc in our architecture. All servers are on Splunk version 8.2.4
We are thinking to update to 9.0.4- What is the best way of doing this?
I mean can we upgrade Search Head to 9.0.4 and upgrade other servers later?
In other words- Can a 9.0.4 version Search Head talk to 8.2.4 indexer? Could not find a document for SH-IDX compatibility.

Since we have multiple servers, we cannot upgrade all the servers all at once.

Any help would be appreciated.

Labels (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

If you have indexer cluster you must update it before search heads. Here https://docs.splunk.com/images/d/d3/Splunk_upgrade_order_of_ops.pdf?_ga=2.64880751.1162868428.168561... is order which you should follow when update distributed environment.

It's not recommended that you keep your cluster master and indexers on different major level that long. Then common understanding is that those could/should be on different level only as short time as possible. Basically this mean time to update all nodes. Of course it depends how big and active environment you have.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

There is a proscribed upgrade order.  Do manager nodes first followed by SHs, indexers, and forwarders. See https://docs.splunk.com/Documentation/Splunk/9.0.4/Installation/UpgradeyourdistributedSplunkEnterpri...

Yes, SHs can be upgraded first (that's the recommendation).  Other servers can be upgraded later.  I suggest the indexers be upgraded "sooner" rather than "later", but the forwarders can wait a long time.

---
If this reply helps you, Karma would be appreciated.
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

here is Splunk's own instructions how you should do upgrade on distributed environment https://lantern.splunk.com/Splunk_Platform/Product_Tips/Upgrades_and_Migration/Upgrading_the_Splunk_.... There are already quite many solved answers in community, which you could found via google search.

r. Ismo

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @neeravmathur,

as described in many pages of Splunk documentation and Community Answers, the path should be:

  • Search Head,
  • Indexers
  • the other Splunk Enterprise roles (Deployement server/License Master/Heavy Forwarder)
  • Universal Forwarders.

Ciao.

Giuseppe

neeravmathur
Path Finder

@gcusello ,

So can we upgrade SH now and then update Indexer (later)-more than a month later

Searches will run fine against 8.2.4 indexers just fine?

 

Thanks,

Neerav

0 Karma

isoutamo
SplunkTrust
SplunkTrust

If you have indexer cluster you must update it before search heads. Here https://docs.splunk.com/images/d/d3/Splunk_upgrade_order_of_ops.pdf?_ga=2.64880751.1162868428.168561... is order which you should follow when update distributed environment.

It's not recommended that you keep your cluster master and indexers on different major level that long. Then common understanding is that those could/should be on different level only as short time as possible. Basically this mean time to update all nodes. Of course it depends how big and active environment you have.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...