Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I not receiving events from Splunk 7.3.1 UF to Splunk 8.2.1 Indexer?

khin
Explorer
‎06-29-2022 09:40 PM

Hi, I have a mixed version splunk deployment which involves one indexer of 8.2.1 and another of 7.3.1. There are also 3 Heavy Forwarders linked to one another to reach indexers. Here are the versions:

  1. Indexer 01 - 8.2.1
  2. Indexer 02 - 7.3.1.1
  3. 2HFs - 7.3.1.1
  4. 1HF - 8.21.
  5. 1UF - 7.3.1

This is how the data from UF is forwarded to indexers.

UF -> 7.3.1.1 HF -> 7.3.1.1 HF -> Indexer 02, UF-> 7.3.1.1 HF -> 7.3.1.1 HF -> 8.2.1 HF -> Indexer01

Both indexers can receive _internal logs from all UF and HFs, but only Indexer 02 (7.3.1.1) can receive main and other custom indexes.

This is the concern.  I should be able to receive events from 7.3.1 UF in 8.2.1 Indexer according to this . It mentions 7.3.1 and 8.2.1 are compatible but limited support. What does it mean by limited support? 

What I have tested so far is that, fully 7.3.1 environment and fully 8.2.1 environment can receive custom logs from UF, but the mixed one hasn't worked yet. Is there anything I must have missed out?

Thank you and much appreciated!

 

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

khin
Explorer
‎07-07-2022 06:58 PM

This was solved by configuring the outputs.conf properly.

The second 7.3.1.1 HF (outputs.conf)

[tcpout]
defaultGroup = indexer01, indexer02
[tcpout:indexer01]
server=indexer01_IP
[tcpout:indexer02]
server=indexer02_IP

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

khin
Explorer
‎07-07-2022 06:58 PM

This was solved by configuring the outputs.conf properly.

The second 7.3.1.1 HF (outputs.conf)

[tcpout]
defaultGroup = indexer01, indexer02
[tcpout:indexer01]
server=indexer01_IP
[tcpout:indexer02]
server=indexer02_IP

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...