Splunk Enterprise

Can the Universal Forwarder (UF) have a higher version than the Heavy Forwarder (HF) and Indexer (IDX)? Will this cause

Polarbear
Engager
Can the Universal Forwarder (UF) have a higher version than the Heavy Forwarder (HF) and Indexer (IDX)? Will this cause any impact?

The reason is that HF and IDX cannot upgrade their OS to meet the prerequisites for version 9.1.4, which requires Windows 2019. Can I proceed with the UF upgrade first?

UF = 9.1.4
HF = 9.1.2
IDX = 9.1.2

Labels (1)
0 Karma

tej57
Contributor

Hello @Polarbear,

That shouldn't be the case ideally. It can cause communication break. To avoid this kind of situation, Splunk supports backward compatibility. But that generally happens from higher tier node to lower tier node. You can also check the following document to understand the order of upgrade between Splunk components. If the search head node is on higher splunk version than the indexer peers, then that can work. However, the vice versa may not hold true. 

Order of Upgrade - splunk_upgrade_order_of_ops.graffle 

Thanks,
Tejas.

 

---

If the above solution helps, an upvote is appreciated.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...