Hello @livehybrid 

I’m sincerely grateful for your response. Your links were very helpful — I was able to locate all the versions I needed for my test environment. Thank you.

May I ask—in your experience, have there been situations where a Heavy Forwarder (HF) was running a significantly higher version than the indexers?

Specifically, I plan to run my HF on at least version 9.2, up to 9.4. However, I’m not sure how well that will work with my indexers on version 8.2.12. My HF is used only for HEC (HTTP Event Collector).

Hi @igor5212 

Ive generally not found any issues with HFs running a higher version of Splunk compared with the indexers. There is a good compatibility table at https://help.splunk.com/en/splunk-enterprise/release-notes-and-updates/compatibility-matrix/splunk-p... which lists the officially supported combinations of HF->IDX versions

Which versions are your HF and IDX running?

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

I think the in most cases there are no real issues with different versions as long as there is no too big cap with versions. And as/if you are using only HEC to sending events from HF->IDX then it shouldn't be issue. But if you are using also s2s then there could be some challenges. And at least MC gives you a warnings if HFs are added there and those are newer than MC itself.

If you will need help from Splunk Support then this could be issue as that combination is not officially supported. 

Anyhow you should update at least 9.2.x or 9.3. asap. Here is link to support times for Splunk core https://www.splunk.com/en_us/legal/splunk-software-support-policy.html#core

With earlier versions the rule was that indexers must be the newest versions. HFs and UFs which were connected can be lower. And same for UF vs HF. This has been changed with 9.x (maybe x was 3 or 2, I cannot remember exact version). After your indexers and cm are that level HFs and UFs can be newer than indexers and CM and other splunk servers. 
So in your situation when you have 8.x.x all HFs and UFs should be max same version than those servers are. 
Anyhow those versions are already out of support, so you should upgrade those as soon as possible to supported version. Probably 9.4.4 is currently best option. Don’t go to 10.0.0 as it’s too new for production use!

This is incorrect information. You cannot update directly from 8.1.x to 9.4.x. You must do it as @livehybrid told. This rule is also defined on splunk docs. Also you must start your splunk service after each step or otherwise it didn't do needed conversions between old to new version!

Hi @thahir 

This information is incorrect, also this isnt two minor/patch versions, its a major version (8->9).

Interestingly if you ask several AI models the same question it also says that its supported (and sometimes links to the upgrade page that says it isnt!) - Im not saying your response was from an AI response as such, but its easy for mis-information to spread as truth which is why I'm pointing this out.

For clarity - the supported upgrade path should be 8.1.14 -> 9.0.9 -> 9.2.8 -> 9.4.x.

See https://docs.splunk.com/Documentation/Splunk/9.4.2/Installation/HowtoupgradeSplunk and https://help.splunk.com/en/splunk-enterprise/get-started/install-and-upgrade/9.2/upgrade-or-migrate-... 

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing