Hi guys:
In our current PROD architecture we have various OS flavors of the 4.3.2 Universal forwarders pushing data to ONE 4.3.2 Splunk Indexer
We are anticipating an upgrade to 4.3.3 and I am doing a analysis on pros/cons of the actual upgrade. There are 3 questions to which I am seeking answers to. This is not about the "right" way to do this - but rather evaluating the overall benefit of an update and then implementing that change in line with known best practices :
i) There are several combination of upgrade protocols that can be used.
First of which is to upgrade BOTH the indexer and the forwarders to 4.3.3
**
An alternative** is to upgrade just the indexer to 4.3.3 and keep forwarders at 4.3.2
Would you favor one over the other ?
ii) Considering the second approach described earlier, what problems could one face with having Splunk components that talk to each other every second in a system architecture with different versions (some are 4.3.3 others are 4.3.2 in this case).
I have done some research and my findings there should really NOT be any major issues with this approach. Anybody strongly agree/disagree with that ? The indexer is backward compatible
with the forwarers and this should not be a big deal.
Note that folks who have done something similar for 4.2.X to 4.3.X have not seen any major issues - the findings in this post here more than likely also apply to an upgrade between two versions of 4.3.X
ii) Advantages of upgrading to 4.3.3
What advantages do heavy users of Splunk get in terms of functionality/efficiency for an upgrade from 4.3.2 to 4.3.3 ?
There is very little material out there and I was wondering if there was any empirical evidence/known pros to performing this upgrade.
Thanks
Reading the release notes of 4.3.3 it seems it is just a bug-fix release
http://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/4.3.3
If you don't have any of these issues, then there is not much you will gain with upgrade. But it might be a good idea to upgrade your indexers anyway to avoid some of known bugs in future. I wouldn't worry too much about forwarders as there wasn't (m)any forwarder specific fixes included in 4.3.3.
Its exactly the same as you are talking about upgrading to 4.3.3. The only major difference is if you upgraded from 4.2.x to a 4.3.x. Either way an upgrade off 4.3.1 is a good idea
Yep, it's just a longer list of bug fixes you're missing. My understanding is x.y.z -releases have only bug fixes. New features are introduced in x.y -releases.
Hi guys:
If we were to consider between 4.3.1 and 4.3.3 - is it still pretty much the same picture when we compare 4.3.2 and 4.3.3 ?
Yeah, this is a very high level analysis of a fairly small maintenance release. I wouldn't panic too much if the bugs in the fix list don't affect you 🙂 4.3.2 on the other hand 4.3.2/1 had some fairly important bug fixes and hopefully no one is still on 4.3.