Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

9 Version Heavy Forwarder sending Data to 7 Version Indexer

HB12
Engager
‎06-16-2024 08:54 PM

Hi Splunk

We are setting up a Splunk Heavy Forwarder with version 9 for development testing and configuring it to forward data to a Splunk Indexer with version 7. and We are collecting data through the DB Connect App.

We would like to know if there will be any issues with the Heavy Forwarder sending data to the Indexer running version 7.

Of course, it is best to upgrade to the same version, but we would like to first check if there are any issues in this process.

 If you need more information about this Configuration, ask for me anytime.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

deepakc
Builder
‎06-17-2024 12:25 AM

Support would be something that comes to mind in this process.

As best practice is to use indexers with versions that are the same or higher than forwarder versions as you stated.

I have found that sometimes you can't always upgrade for whatever reason, and it will work, but then some features become deprecated or updated, and it may stop working or have some breaking changes. So, you take the risk. 

All 7.x Splunk Enterprise are now end of support, so should you encounter problems, you have no support. See below for Splunk End Of Life Support

https://www.splunk.com/en_us/legal/splunk-software-support-policy.html

View solution in original post

Reply
Solved! Jump to solution

glc_slash_it
Path Finder
‎06-17-2024 12:27 AM

Having a HF with a higher version than the Indexers is not recommended by Splunk. Obviously you can do it, and if it's just between minor versions you may get away with it, but you will probably encounter problems that may seem "bugs" but are just compatibility problems.

Check the docs:

https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybetweenforwar...

 

I would suggest install a v7 HF as a quick fix, but then upgrade Indexers asap to current version as they are EOL.

Reply
Solved! Jump to solution
Solution

deepakc
Builder
‎06-17-2024 12:25 AM

Support would be something that comes to mind in this process.

As best practice is to use indexers with versions that are the same or higher than forwarder versions as you stated.

I have found that sometimes you can't always upgrade for whatever reason, and it will work, but then some features become deprecated or updated, and it may stop working or have some breaking changes. So, you take the risk. 

All 7.x Splunk Enterprise are now end of support, so should you encounter problems, you have no support. See below for Splunk End Of Life Support

https://www.splunk.com/en_us/legal/splunk-software-support-policy.html

Reply
Get Updates on the Splunk Community!

Meet Duke Cyberwalker | A hero’s journey with Splunk

We like to say, the lightsaber is to Luke as Splunk is to Duke. Curious yet? Then read Eric Fusilero’s latest ...

The Future of Splunk Search is Here - See What’s New!

We’re excited to introduce two powerful new search features, now generally available for Splunk Cloud Platform ...

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...