Splunk Enterprise Security

Does ES3.3 on Search-Head running 6.2.3 and indexers running on 6.2.2 work?

Engager

In a distributed Search environment, is it required to upgrade the Indexers to the latest version of Splunk or can we just upgrade the Search-head and deploy the TA, DA ,SA via the deployment server to 6.2.2 Indexers?

0 Karma

SplunkTrust
SplunkTrust

I think the simple answer is to upgrade your indexers. Upgrading the indexers from 6.2.2 to 6.2.3 wouldn't take a long time nor is it risky. As you're probably aware, best practice is to upgrade indexers before search heads. If you have some dire business requirement not to upgrade the indexers then it would be best to open a support ticket to raise the issue with the folks that would know why 6.2.3 is specifically required for ES 3.3.

0 Karma

Engager

Yes, I do see reference in the documentation. But what would be the impact, if any, by keeling the indexers at 6.2.2 and only upgrading the Search head. Do any of the ES3.3 applications that go on the indexers verify version on restart?

The end goal is to have everything at the latest version.

0 Karma

Splunk Employee
Splunk Employee

My reading of the system requirements is that ES 3.3 requires Splunk Enterprise 6.2.3 on all search heads and indexers.

Splunk Employee
Splunk Employee

Your best option is to move to 6.2.3. I suggest looking at the release notes to see what bugs on the indexer tier might affect your deployment. If you don't find anything listed for 6.2.2 that concerns you, you can probably keep your indexers at 6.2.2 until you can upgrade.

That's a big "probably," though...there are a lot of unknowns and here on Answers we don't have very much information to work with.

To answer your last question: no, none of the add-ons that ship with Enterprise Security do anything to check versions.

0 Karma