Splunk Enterprise

9 Version Heavy Forwarder sending Data to 7 Version Indexer

HB12
Engager

Hi Splunk

We are setting up a Splunk Heavy Forwarder with version 9 for development testing and configuring it to forward data to a Splunk Indexer with version 7. and We are collecting data through the DB Connect App.

We would like to know if there will be any issues with the Heavy Forwarder sending data to the Indexer running version 7.

Of course, it is best to upgrade to the same version, but we would like to first check if there are any issues in this process.

 If you need more information about this Configuration, ask for me anytime.

Labels (1)
0 Karma
1 Solution

deepakc
Builder

Support would be something that comes to mind in this process.

As best practice is to use indexers with versions that are the same or higher than forwarder versions as you stated.

I have found that sometimes you can't always upgrade for whatever reason, and it will work, but then some features become deprecated or updated, and it may stop working or have some breaking changes. So, you take the risk. 

All 7.x Splunk Enterprise are now end of support, so should you encounter problems, you have no support. See below for Splunk End Of Life Support

https://www.splunk.com/en_us/legal/splunk-software-support-policy.html

View solution in original post

glc_slash_it
Path Finder

Having a HF with a higher version than the Indexers is not recommended by Splunk. Obviously you can do it, and if it's just between minor versions you may get away with it, but you will probably encounter problems that may seem "bugs" but are just compatibility problems.

Check the docs:

https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybetweenforwar...

 

I would suggest install a v7 HF as a quick fix, but then upgrade Indexers asap to current version as they are EOL.

deepakc
Builder

Support would be something that comes to mind in this process.

As best practice is to use indexers with versions that are the same or higher than forwarder versions as you stated.

I have found that sometimes you can't always upgrade for whatever reason, and it will work, but then some features become deprecated or updated, and it may stop working or have some breaking changes. So, you take the risk. 

All 7.x Splunk Enterprise are now end of support, so should you encounter problems, you have no support. See below for Splunk End Of Life Support

https://www.splunk.com/en_us/legal/splunk-software-support-policy.html

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...