Installation

Splunk Search Head and Indexer compatibility- Can a 9.0.4 version Search Head talk to 8.2.4 indexer?

neeravmathur
Path Finder

Hi Guys,

We have a distributed environment with Search Heads/Indexers/Deployement server/License Master/Heavy Forwarder etc in our architecture. All servers are on Splunk version 8.2.4
We are thinking to update to 9.0.4- What is the best way of doing this?
I mean can we upgrade Search Head to 9.0.4 and upgrade other servers later?
In other words- Can a 9.0.4 version Search Head talk to 8.2.4 indexer? Could not find a document for SH-IDX compatibility.

Since we have multiple servers, we cannot upgrade all the servers all at once.

Any help would be appreciated.

Labels (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

If you have indexer cluster you must update it before search heads. Here https://docs.splunk.com/images/d/d3/Splunk_upgrade_order_of_ops.pdf?_ga=2.64880751.1162868428.168561... is order which you should follow when update distributed environment.

It's not recommended that you keep your cluster master and indexers on different major level that long. Then common understanding is that those could/should be on different level only as short time as possible. Basically this mean time to update all nodes. Of course it depends how big and active environment you have.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

There is a proscribed upgrade order.  Do manager nodes first followed by SHs, indexers, and forwarders. See https://docs.splunk.com/Documentation/Splunk/9.0.4/Installation/UpgradeyourdistributedSplunkEnterpri...

Yes, SHs can be upgraded first (that's the recommendation).  Other servers can be upgraded later.  I suggest the indexers be upgraded "sooner" rather than "later", but the forwarders can wait a long time.

---
If this reply helps you, Karma would be appreciated.
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

here is Splunk's own instructions how you should do upgrade on distributed environment https://lantern.splunk.com/Splunk_Platform/Product_Tips/Upgrades_and_Migration/Upgrading_the_Splunk_.... There are already quite many solved answers in community, which you could found via google search.

r. Ismo

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @neeravmathur,

as described in many pages of Splunk documentation and Community Answers, the path should be:

  • Search Head,
  • Indexers
  • the other Splunk Enterprise roles (Deployement server/License Master/Heavy Forwarder)
  • Universal Forwarders.

Ciao.

Giuseppe

neeravmathur
Path Finder

@gcusello ,

So can we upgrade SH now and then update Indexer (later)-more than a month later

Searches will run fine against 8.2.4 indexers just fine?

 

Thanks,

Neerav

0 Karma

isoutamo
SplunkTrust
SplunkTrust

If you have indexer cluster you must update it before search heads. Here https://docs.splunk.com/images/d/d3/Splunk_upgrade_order_of_ops.pdf?_ga=2.64880751.1162868428.168561... is order which you should follow when update distributed environment.

It's not recommended that you keep your cluster master and indexers on different major level that long. Then common understanding is that those could/should be on different level only as short time as possible. Basically this mean time to update all nodes. Of course it depends how big and active environment you have.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...