Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I not receiving events from Splunk 7.3.1 UF to Splunk 8.2.1 Indexer?

khin
Explorer
‎06-29-2022 09:40 PM

Hi, I have a mixed version splunk deployment which involves one indexer of 8.2.1 and another of 7.3.1. There are also 3 Heavy Forwarders linked to one another to reach indexers. Here are the versions:

  1. Indexer 01 - 8.2.1
  2. Indexer 02 - 7.3.1.1
  3. 2HFs - 7.3.1.1
  4. 1HF - 8.21.
  5. 1UF - 7.3.1

This is how the data from UF is forwarded to indexers.

UF -> 7.3.1.1 HF -> 7.3.1.1 HF -> Indexer 02, UF-> 7.3.1.1 HF -> 7.3.1.1 HF -> 8.2.1 HF -> Indexer01

Both indexers can receive _internal logs from all UF and HFs, but only Indexer 02 (7.3.1.1) can receive main and other custom indexes.

This is the concern.  I should be able to receive events from 7.3.1 UF in 8.2.1 Indexer according to this . It mentions 7.3.1 and 8.2.1 are compatible but limited support. What does it mean by limited support? 

What I have tested so far is that, fully 7.3.1 environment and fully 8.2.1 environment can receive custom logs from UF, but the mixed one hasn't worked yet. Is there anything I must have missed out?

Thank you and much appreciated!

 

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

khin
Explorer
‎07-07-2022 06:58 PM

This was solved by configuring the outputs.conf properly.

The second 7.3.1.1 HF (outputs.conf)

[tcpout]
defaultGroup = indexer01, indexer02
[tcpout:indexer01]
server=indexer01_IP
[tcpout:indexer02]
server=indexer02_IP

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

khin
Explorer
‎07-07-2022 06:58 PM

This was solved by configuring the outputs.conf properly.

The second 7.3.1.1 HF (outputs.conf)

[tcpout]
defaultGroup = indexer01, indexer02
[tcpout:indexer01]
server=indexer01_IP
[tcpout:indexer02]
server=indexer02_IP

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...