Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Upgrade from splunk 7.0.1 to 8.0.6. with uf from 6.4.10.

YUNHYEONG
Explorer
‎10-25-2020 05:33 PM

hello, splunker

I have question. plz

I upgraded 7.0.1 to 8.0.6 but, my uf is 6.4.10 for win7.

I saw the document late. (8.0 is not support for uf under 7.x).

document: https://docs.splunk.com/Documentation/Splunk/8.0.6/Installation/AboutupgradingREADTHISFIRST

my forwarder os win7. so i can't upgrade to 7.x

however, I using  enterprise 8.0.6 & uf 6.4.10 well. no problem.

Why block Splunk upgrade?

ty all!

Labels (2)
Reply
1 Solution
Solved! Jump to solution
Solution

nwuest
Path Finder
‎10-26-2020 10:01 PM

Hi @YUNHYEONG 

I see you have highlighted a cell (highlighted in red) that shows your current situation with your Splunk Universal Forwarder is 6.4.10 and your Splunk Enterprise Indexer is 8.0.6.

The highlighted cell is blank to which Splunk indicates that those versions are incompatible. However you know that your instance is still running. I'm unsure of what your app is doing so I can't definitively say that is what is enabling your Splunk Universal Forwarder to be able to send data to your Indexer(s).

I can speak to the chart with the reference at the bottom of the table which states:
"The table provides version 6.x compatibility for universal forwarders only. Version 6.x forwarders are compatible with higher versions of indexer, but Splunk will not provide support for version 6.0.x - 6.2.x forwarders. Version 6.3.x - 6.6.x universal forwarders have limited support through June 4, 2021." Your version will have limited support through to June 4, 2021 where I'm sure Splunk will stop supporting that lower version.

Your Splunk environment is working with the versions you have listed, however Splunk does recommend "As a best practice, forwarders should communicate with indexers that are the same or higher version."

Note: At some point in the future, your version of the Splunk Universal Forwarder will stop being able to talk to a Splunk Enterprise Indexer because of the difference with which how those two elements communicate with each other (Most likely an SSL change because of a Splunk 2 Splunk communication error).
So if at all possible be sure to upgrade your OS, which will then allow you to upgrade your Splunk Universal Forwarder.

I do hope this helps!

V/R,
nwuest

View solution in original post

Reply
Solved! Jump to solution

nwuest
Path Finder
‎10-25-2020 11:58 PM

Hi YUNHYEONG,

Splunk like other software companies update their software for various reasons.

Many reasons include:

  • Updates improve stability with the product
  • Updates include the latest security patches
  • Updates include new features/enhancements
  • Updates improve the user interface

I do believe that Microsoft has ended their support for Windows 7 on Jan 14th, 2020.
Using Splunk on a system that is no longer receiving technical assistance and software updates could put you in a precarious situation if something bad were to happen. Not only does this put your system at risk but possibly you and/or your business.

Hopefully you are able to look into updating the software on your universal forwarder (if possible) to help keep yourself/business secure.

I hope this helps answer your question!

V/R,
nwuest

0 Karma
Reply
Solved! Jump to solution

YUNHYEONG
Explorer
‎10-26-2020 07:37 PM

ty so much @nwuest  ^^

current, i using well. uf transmit data to indexer well.

Do you mean that i no longer receiving technical assistance and software updates could put in a precarious situation if something bad were to happen?

then, i fine. i can recover old splunk version whenever .
i backuped my app for 7.0.1

i concerned to uf can not transmit to indexer or worry that not can use new features/enhancements.

Is there any new features/enhancements that I can't use because of low uf?

0 Karma
Reply
Solved! Jump to solution

nwuest
Path Finder
‎10-26-2020 08:39 PM

Hi YUNHYEONG,

For anything Windows 7 related you won't be getting anymore updates, which in turn puts your Splunk instance at risk. Best practice is to update often to help patch security holes, bugs, exploits etc.

This link will show you the forwarder/indexer compatibility. So when you do decide to upgrade, give this page a looksie.
https://docs.splunk.com/Documentation/Forwarder/8.1.0/Forwarder/Compatibilitybetweenforwardersandind... 

If you are using your Splunk Universal Forwarder/ Splunk Enterprise indexer just for your custom app you have then you should be ok since it currently works.

With each new release of a Splunk Universal Forwarder there are new capabilities/additions that ONLY come when you upgrade your Splunk Universal Forwarder and the same goes for Splunk Enterprise.

I would direct you to Splunk for the release notes for each version and known issues that are fixed based on the version.

https://docs.splunk.com/Documentation/Forwarder/8.1.0/Forwarder/Fixedissues

https://docs.splunk.com/Documentation/Forwarder/8.1.0/Forwarder/KnownIssues

Be sure to click on the version in the top right with the differences between each version from your current one until now (if you would like to see what updates are being made)

I do hope this helps!

V/R,

nwuest

Reply
Solved! Jump to solution

YUNHYEONG
Explorer
‎10-26-2020 09:43 PM

thank you. @nwuest 

sry last question.

https://docs.splunk.com/Documentation/Forwarder/8.1.0/Forwarder/Compatibilitybetweenforwardersandind...

my case is blank in this guide. but my log data sending to indexer well. why????

is it ok? because of my custom app?

20201027_134025.png

forwarder : 6.3.x-6.6.x (Limited support)  , indexer : 8.x

======================

my uf : 6.4.10

splunk enterprise : 8.0.6

=======================

Windows upgrade is not possible under the current circumstances.

so i should use 6.4.10 

Thank you for listening to my poor English.

0 Karma
Reply
Solved! Jump to solution
Solution

nwuest
Path Finder
‎10-26-2020 10:01 PM

Hi @YUNHYEONG 

I see you have highlighted a cell (highlighted in red) that shows your current situation with your Splunk Universal Forwarder is 6.4.10 and your Splunk Enterprise Indexer is 8.0.6.

The highlighted cell is blank to which Splunk indicates that those versions are incompatible. However you know that your instance is still running. I'm unsure of what your app is doing so I can't definitively say that is what is enabling your Splunk Universal Forwarder to be able to send data to your Indexer(s).

I can speak to the chart with the reference at the bottom of the table which states:
"The table provides version 6.x compatibility for universal forwarders only. Version 6.x forwarders are compatible with higher versions of indexer, but Splunk will not provide support for version 6.0.x - 6.2.x forwarders. Version 6.3.x - 6.6.x universal forwarders have limited support through June 4, 2021." Your version will have limited support through to June 4, 2021 where I'm sure Splunk will stop supporting that lower version.

Your Splunk environment is working with the versions you have listed, however Splunk does recommend "As a best practice, forwarders should communicate with indexers that are the same or higher version."

Note: At some point in the future, your version of the Splunk Universal Forwarder will stop being able to talk to a Splunk Enterprise Indexer because of the difference with which how those two elements communicate with each other (Most likely an SSL change because of a Splunk 2 Splunk communication error).
So if at all possible be sure to upgrade your OS, which will then allow you to upgrade your Splunk Universal Forwarder.

I do hope this helps!

V/R,
nwuest

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...