Actually You cannot update it directly from old to new unless it match those restrictions which are defined for for splunk servers too! Usually this means that you can jump over one version like 7.3.x -> 8.1.x -> 9.0.x -> 9.2.x -> 9.4.x. Also you must start UF on each steps for updating e.g. fishbucket DB and other things which has changed between versions and need some internal updates.

Of course you could remove old UF installation and install the newest versions from scratch into it. But then you need remember that this means:

• You lost your UF's GUID => you will get a new UF into sever point of view. Of course you can use same GUIF in .../etc/instance.cfg and keep old UF information in sever side
• splunk.secret will change which means that if you have any secrets/passwords in your old configurations and you try to use those you need to use plain versions and give UF crypt those again
• You lost information where your inputs are as you lost fishbucketdb which keep track of those => are are reingesting all files again which you have in this node

 Maybe something else which I forgot?

I know that updating from some version to another version could work without issues, but not for all. And those issues could arise later on, not immediately after you start a new version.

I also strongly recommend you to use OS's native sw packages instead of use tar versions. With this way it's much easier manage your OS level information as you could trust your package management sw information.

Hi @isoutamo 

I'm a little confused here as I was under the impression UFs were pretty stateless. They dont have Python, KVStore and do not locally index data? Compared to HF or other full Splunk Enterprise instances which definitely need to be updated to specific versions incrementally.

I've updated countless UFs From 7->9 without issue but happy to update my previous post if needed. 

Looking at the remote UF updater (https://docs.splunk.com/Documentation/Forwarder/1.0.0/ForwarderRemoteUpgradeLinux/Supporteduniversal...) This supports a minimum version 8.0.0 and upgrades directly to 9.x so I am content that this is feasible.

I know that for non-UF hosts there is a pretty strict upgrade path,  

Actually they said "it could update from 8.0 to 9.0+" but it didn't said "it could upgrade directly from 8.0 to 9.0+". And in https://docs.splunk.com/Documentation/Forwarder/1.0.0/ForwarderRemoteUpgradeLinux/Architecture they said "... validates the universal forwarder migration path from the current version to the destination version."

UF contains splunk some dbs (e.g. fishbucket in /opt/splunkforwarder/var/lib/splunk/). Time by time they change somehow (I don't know exactly how) the internals of db structure. Those changes must apply into those DBs when you are upgrading UFs. As I said there could be some cases where this is needed but I'm quite sure that updating from 7.3 -> 9.4 is not belonging to that sets.

Ah yes okay @isoutamo - That is a fair point. Whilst I've had success with this previously, there is no guarantee it will go the same way for @AviSharma8 ! 

The Remote updated app simply has the following check target_major_version <= current_major_version+1 and when I ran it was happy to do 8.0 -> 9.4!

Nevertheless, I will update my original post and point at the official stance on this. According to the 8.2 docs its possible to upgrade a UF from 7.3->8.2 (Upgrading a universal forwarder directly to version 8.2 is supported from versions 7.3.x, 8.0.x, and...) and 9.4 supports an upgrade from 8.2 (Splunk supports a direct upgrade of a universal forwarder to version 9.4 from versions 8.2.x and hig...)

In the meantime - Its also worth mentioning that Splunk Enterprise version 9.0 and higher requires Linux kernel version 3.x or higher and has an updated OS support list -  Check supported OS at https://docs.splunk.com/Documentation/Splunk/9.4.1/Installation/Systemrequirements

🌟 Did this answer help you? If so, please consider:

• Adding kudos to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

Earlier there was also restrictions that upside versions must be higher than downside, but this has removed on 9.x. This means that UF's versions cannot be higher than HF/Indexers and also HF's cannot be higher versions than Indexers.

I suppose that this was some kind of warranty for splunk to avoid some weird issues. I know that in many times those versions works w/o issues even UF has higher versions than IDXs have.