Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Search Head and Indexer compatibility- Can a 9.0.4 version Search Head talk to 8.2.4 indexer?

neeravmathur
Path Finder
‎06-01-2023 05:57 AM

Hi Guys,

We have a distributed environment with Search Heads/Indexers/Deployement server/License Master/Heavy Forwarder etc in our architecture. All servers are on Splunk version 8.2.4
We are thinking to update to 9.0.4- What is the best way of doing this?
I mean can we upgrade Search Head to 9.0.4 and upgrade other servers later?
In other words- Can a 9.0.4 version Search Head talk to 8.2.4 indexer? Could not find a document for SH-IDX compatibility.

Since we have multiple servers, we cannot upgrade all the servers all at once.

Any help would be appreciated.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-01-2023 06:21 AM

If you have indexer cluster you must update it before search heads. Here https://docs.splunk.com/images/d/d3/Splunk_upgrade_order_of_ops.pdf?_ga=2.64880751.1162868428.168561... is order which you should follow when update distributed environment.

It's not recommended that you keep your cluster master and indexers on different major level that long. Then common understanding is that those could/should be on different level only as short time as possible. Basically this mean time to update all nodes. Of course it depends how big and active environment you have.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-01-2023 06:17 AM

There is a proscribed upgrade order.  Do manager nodes first followed by SHs, indexers, and forwarders. See https://docs.splunk.com/Documentation/Splunk/9.0.4/Installation/UpgradeyourdistributedSplunkEnterpri...

Yes, SHs can be upgraded first (that's the recommendation).  Other servers can be upgraded later.  I suggest the indexers be upgraded "sooner" rather than "later", but the forwarders can wait a long time.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-01-2023 06:16 AM

Hi

here is Splunk's own instructions how you should do upgrade on distributed environment https://lantern.splunk.com/Splunk_Platform/Product_Tips/Upgrades_and_Migration/Upgrading_the_Splunk_.... There are already quite many solved answers in community, which you could found via google search.

r. Ismo

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-01-2023 06:11 AM

Hi @neeravmathur,

as described in many pages of Splunk documentation and Community Answers, the path should be:

  • Search Head,
  • Indexers
  • the other Splunk Enterprise roles (Deployement server/License Master/Heavy Forwarder)
  • Universal Forwarders.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

neeravmathur
Path Finder
‎06-01-2023 06:16 AM

@gcusello ,

So can we upgrade SH now and then update Indexer (later)-more than a month later

Searches will run fine against 8.2.4 indexers just fine?

 

Thanks,

Neerav

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-01-2023 06:21 AM

If you have indexer cluster you must update it before search heads. Here https://docs.splunk.com/images/d/d3/Splunk_upgrade_order_of_ops.pdf?_ga=2.64880751.1162868428.168561... is order which you should follow when update distributed environment.

It's not recommended that you keep your cluster master and indexers on different major level that long. Then common understanding is that those could/should be on different level only as short time as possible. Basically this mean time to update all nodes. Of course it depends how big and active environment you have.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...