I have a 3.4.10 on Linux running without any ( major) issues. However, whenever I have called Splunk Tech Support for addressing issues, they seem to be more comfortable with assisting with reference to 4.x code versus 3.4.10 and the advise of upgrading from 3.4 to 4.x has been a constant.

After researching the open web and Splunk answers, I note that some folks who had upgraded to 4.x have reported issues such as field extraction, lookup error etc.

I am looking for community feedback/first hand experience in upgrading 3.4.10 to a well known 4.x stable version on Linux OS.

Thanks Pradeep

Sure there are issues, and there always will be with any IT product. For that matter, with anything made by human hands... The questions is how big are the issues, in which case I've only seen relatively small ones. Sometimes frustrating, but overall they are small.

To address the two items you brought up. (1) I'm not aware of field extraction issues that were specific to 4.0 or 4.1 (Most extraction issues are really setup problems or unfamiliar limitations which haven't changed since 3.4 anyways). And (2), you can't run into lookup issues going from 3.4. to 4.0, because lookups are a new feature in 4.0. (You can hit issues going from 4.0 to 4.1, but if you wait to create lookups until your running 4.1 you can avoid them. Also, the docs have been updated and the upgrade process itself now explains the specific config change thats needed.)

In the end, it all really comes down to the complexity of your existing config. You should definitely read all the upgrade docs, and if possible, clone your existing environment and to a test upgrade on the clone. You can even have your production system forward events to your test 4.x environment so you can access both in parallel until your comfortable with a production upgrade. That's the approach that we took for upgrading to 4.0 and later to 4.1.

Keep in mind that you will have to upgrade to from 3.4 to 4.0, and then 4.0 to 4.1. (Be sure to use the latest release of each 4.0.11 and 4.1.3 as of right now)

Read the docs, take the plunge (just do it on a test box first) ... that would be my recommendation.