hello, splunker
I have question. plz
I upgraded 7.0.1 to 8.0.6 but, my uf is 6.4.10 for win7.
I saw the document late. (8.0 is not support for uf under 7.x).
document: https://docs.splunk.com/Documentation/Splunk/8.0.6/Installation/AboutupgradingREADTHISFIRST
my forwarder os win7. so i can't upgrade to 7.x
however, I using enterprise 8.0.6 & uf 6.4.10 well. no problem.
Why block Splunk upgrade?
ty all!
Hi @YUNHYEONG
I see you have highlighted a cell (highlighted in red) that shows your current situation with your Splunk Universal Forwarder is 6.4.10 and your Splunk Enterprise Indexer is 8.0.6.
The highlighted cell is blank to which Splunk indicates that those versions are incompatible. However you know that your instance is still running. I'm unsure of what your app is doing so I can't definitively say that is what is enabling your Splunk Universal Forwarder to be able to send data to your Indexer(s).
I can speak to the chart with the reference at the bottom of the table which states:
"The table provides version 6.x compatibility for universal forwarders only. Version 6.x forwarders are compatible with higher versions of indexer, but Splunk will not provide support for version 6.0.x - 6.2.x forwarders. Version 6.3.x - 6.6.x universal forwarders have limited support through June 4, 2021." Your version will have limited support through to June 4, 2021 where I'm sure Splunk will stop supporting that lower version.
Your Splunk environment is working with the versions you have listed, however Splunk does recommend "As a best practice, forwarders should communicate with indexers that are the same or higher version."
Note: At some point in the future, your version of the Splunk Universal Forwarder will stop being able to talk to a Splunk Enterprise Indexer because of the difference with which how those two elements communicate with each other (Most likely an SSL change because of a Splunk 2 Splunk communication error).
So if at all possible be sure to upgrade your OS, which will then allow you to upgrade your Splunk Universal Forwarder.
I do hope this helps!
V/R,
nwuest
Hi YUNHYEONG,
Splunk like other software companies update their software for various reasons.
Many reasons include:
I do believe that Microsoft has ended their support for Windows 7 on Jan 14th, 2020.
Using Splunk on a system that is no longer receiving technical assistance and software updates could put you in a precarious situation if something bad were to happen. Not only does this put your system at risk but possibly you and/or your business.
Hopefully you are able to look into updating the software on your universal forwarder (if possible) to help keep yourself/business secure.
I hope this helps answer your question!
V/R,
nwuest
ty so much @nwuest ^^
current, i using well. uf transmit data to indexer well.
Do you mean that i no longer receiving technical assistance and software updates could put in a precarious situation if something bad were to happen?
then, i fine. i can recover old splunk version whenever .
i backuped my app for 7.0.1
i concerned to uf can not transmit to indexer or worry that not can use new features/enhancements.
Is there any new features/enhancements that I can't use because of low uf?
Hi YUNHYEONG,
For anything Windows 7 related you won't be getting anymore updates, which in turn puts your Splunk instance at risk. Best practice is to update often to help patch security holes, bugs, exploits etc.
This link will show you the forwarder/indexer compatibility. So when you do decide to upgrade, give this page a looksie.
https://docs.splunk.com/Documentation/Forwarder/8.1.0/Forwarder/Compatibilitybetweenforwardersandind...
If you are using your Splunk Universal Forwarder/ Splunk Enterprise indexer just for your custom app you have then you should be ok since it currently works.
With each new release of a Splunk Universal Forwarder there are new capabilities/additions that ONLY come when you upgrade your Splunk Universal Forwarder and the same goes for Splunk Enterprise.
I would direct you to Splunk for the release notes for each version and known issues that are fixed based on the version.
https://docs.splunk.com/Documentation/Forwarder/8.1.0/Forwarder/Fixedissues
https://docs.splunk.com/Documentation/Forwarder/8.1.0/Forwarder/KnownIssues
Be sure to click on the version in the top right with the differences between each version from your current one until now (if you would like to see what updates are being made)
I do hope this helps!
V/R,
nwuest
thank you. @nwuest
sry last question.
my case is blank in this guide. but my log data sending to indexer well. why????
is it ok? because of my custom app?
forwarder : 6.3.x-6.6.x (Limited support) , indexer : 8.x
======================
my uf : 6.4.10
splunk enterprise : 8.0.6
=======================
Windows upgrade is not possible under the current circumstances.
so i should use 6.4.10
Thank you for listening to my poor English.
Hi @YUNHYEONG
I see you have highlighted a cell (highlighted in red) that shows your current situation with your Splunk Universal Forwarder is 6.4.10 and your Splunk Enterprise Indexer is 8.0.6.
The highlighted cell is blank to which Splunk indicates that those versions are incompatible. However you know that your instance is still running. I'm unsure of what your app is doing so I can't definitively say that is what is enabling your Splunk Universal Forwarder to be able to send data to your Indexer(s).
I can speak to the chart with the reference at the bottom of the table which states:
"The table provides version 6.x compatibility for universal forwarders only. Version 6.x forwarders are compatible with higher versions of indexer, but Splunk will not provide support for version 6.0.x - 6.2.x forwarders. Version 6.3.x - 6.6.x universal forwarders have limited support through June 4, 2021." Your version will have limited support through to June 4, 2021 where I'm sure Splunk will stop supporting that lower version.
Your Splunk environment is working with the versions you have listed, however Splunk does recommend "As a best practice, forwarders should communicate with indexers that are the same or higher version."
Note: At some point in the future, your version of the Splunk Universal Forwarder will stop being able to talk to a Splunk Enterprise Indexer because of the difference with which how those two elements communicate with each other (Most likely an SSL change because of a Splunk 2 Splunk communication error).
So if at all possible be sure to upgrade your OS, which will then allow you to upgrade your Splunk Universal Forwarder.
I do hope this helps!
V/R,
nwuest