Splunk Enterprise

9 Version Heavy Forwarder sending Data to 7 Version Indexer

HB12
Engager

Hi Splunk

We are setting up a Splunk Heavy Forwarder with version 9 for development testing and configuring it to forward data to a Splunk Indexer with version 7. and We are collecting data through the DB Connect App.

We would like to know if there will be any issues with the Heavy Forwarder sending data to the Indexer running version 7.

Of course, it is best to upgrade to the same version, but we would like to first check if there are any issues in this process.

 If you need more information about this Configuration, ask for me anytime.

Labels (1)
0 Karma
1 Solution

deepakc
Builder

Support would be something that comes to mind in this process.

As best practice is to use indexers with versions that are the same or higher than forwarder versions as you stated.

I have found that sometimes you can't always upgrade for whatever reason, and it will work, but then some features become deprecated or updated, and it may stop working or have some breaking changes. So, you take the risk. 

All 7.x Splunk Enterprise are now end of support, so should you encounter problems, you have no support. See below for Splunk End Of Life Support

https://www.splunk.com/en_us/legal/splunk-software-support-policy.html

View solution in original post

glc_slash_it
Path Finder

Having a HF with a higher version than the Indexers is not recommended by Splunk. Obviously you can do it, and if it's just between minor versions you may get away with it, but you will probably encounter problems that may seem "bugs" but are just compatibility problems.

Check the docs:

https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybetweenforwar...

 

I would suggest install a v7 HF as a quick fix, but then upgrade Indexers asap to current version as they are EOL.

deepakc
Builder

Support would be something that comes to mind in this process.

As best practice is to use indexers with versions that are the same or higher than forwarder versions as you stated.

I have found that sometimes you can't always upgrade for whatever reason, and it will work, but then some features become deprecated or updated, and it may stop working or have some breaking changes. So, you take the risk. 

All 7.x Splunk Enterprise are now end of support, so should you encounter problems, you have no support. See below for Splunk End Of Life Support

https://www.splunk.com/en_us/legal/splunk-software-support-policy.html

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...