Solved: Re: Splunk Search Head and Indexer compatibility

neeravmathur · ‎06-01-2023

Hi Guys,

We have a distributed environment with Search Heads/Indexers/Deployement server/License Master/Heavy Forwarder etc in our architecture. All servers are on Splunk version 8.2.4
We are thinking to update to 9.0.4- What is the best way of doing this?
I mean can we upgrade Search Head to 9.0.4 and upgrade other servers later?
In other words- Can a 9.0.4 version Search Head talk to 8.2.4 indexer? Could not find a document for SH-IDX compatibility.

Since we have multiple servers, we cannot upgrade all the servers all at once.

Any help would be appreciated.

isoutamo · ‎06-01-2023

If you have indexer cluster you must update it before search heads. Here https://docs.splunk.com/images/d/d3/Splunk_upgrade_order_of_ops.pdf?_ga=2.64880751.1162868428.168561... is order which you should follow when update distributed environment.

It's not recommended that you keep your cluster master and indexers on different major level that long. Then common understanding is that those could/should be on different level only as short time as possible. Basically this mean time to update all nodes. Of course it depends how big and active environment you have.

View solution in original post

richgalloway · ‎06-01-2023

There is a proscribed upgrade order. Do manager nodes first followed by SHs, indexers, and forwarders. See https://docs.splunk.com/Documentation/Splunk/9.0.4/Installation/UpgradeyourdistributedSplunkEnterpri...

Yes, SHs can be upgraded first (that's the recommendation). Other servers can be upgraded later. I suggest the indexers be upgraded "sooner" rather than "later", but the forwarders can wait a long time.

---
If this reply helps you, Karma would be appreciated.

isoutamo · ‎06-01-2023

Hi

here is Splunk's own instructions how you should do upgrade on distributed environment https://lantern.splunk.com/Splunk_Platform/Product_Tips/Upgrades_and_Migration/Upgrading_the_Splunk_.... There are already quite many solved answers in community, which you could found via google search.

r. Ismo

gcusello · ‎06-01-2023

Hi @neeravmathur,

as described in many pages of Splunk documentation and Community Answers, the path should be:

Search Head,
Indexers
the other Splunk Enterprise roles (Deployement server/License Master/Heavy Forwarder)
Universal Forwarders.

Ciao.

Giuseppe

neeravmathur · ‎06-01-2023

@gcusello ,

So can we upgrade SH now and then update Indexer (later)-more than a month later

Searches will run fine against 8.2.4 indexers just fine?

Thanks,

Neerav

isoutamo · ‎06-01-2023

If you have indexer cluster you must update it before search heads. Here https://docs.splunk.com/images/d/d3/Splunk_upgrade_order_of_ops.pdf?_ga=2.64880751.1162868428.168561... is order which you should follow when update distributed environment.

It's not recommended that you keep your cluster master and indexers on different major level that long. Then common understanding is that those could/should be on different level only as short time as possible. Basically this mean time to update all nodes. Of course it depends how big and active environment you have.

Splunk Search Head and Indexer compatibility- Can a 9.0.4 version Search Head talk to 8.2.4 indexer?

search head

upgrade

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?