Reporting

Splunk 6 search-head on top of a Splunk 5?

Champion

Hi,

Is it possible to install a net new Splunk 6 search-head, and point it at a Splunk 5 infrastructure (indexers, forwarders...)? I'm interested in getting access to the new reporting capabilities ASAP.

Tags (2)

Champion

Understood. Thanks.

0 Karma

Splunk Employee
Splunk Employee

let's be clear though that there will be plenty of capabilities that simply won't work. for example, you won't be able to accelerate data models. the 5.0 indexers simply won't know how to do that.

Motivator

Congratulations! We chose this question to be answered live on the Splunktalk podcast!

0 Karma

Splunk Employee
Splunk Employee

Yes, this is not a problem. Check the doc link below.

http://docs.splunk.com/Documentation/Splunk/6.0/DistSearch/Versioncompatibility

Splunk Employee
Splunk Employee

One BIG caveat here, though: a Splunk 6 search head will by default ask its distributed search peers to generate a remote timeline. This isn't a problem with 6.x indexers, but 5.x indexers won't know how to generate this and as a result searches might slow down dramatically.

The workaround is to set the following in limits.conf on the search head and restart Splunk:

[search]
remote_timeline_fetchall = false

This can be removed when all indexers are upgraded to 6.x.

Motivator

Hello

Is it absolutely not compatible to use a v6 SH with v5 cluster peers? Anyone tried it?

thanks

0 Karma