Splunk Enterprise

9 Version Heavy Forwarder sending Data to 7 Version Indexer

HB12
Engager

Hi Splunk

We are setting up a Splunk Heavy Forwarder with version 9 for development testing and configuring it to forward data to a Splunk Indexer with version 7. and We are collecting data through the DB Connect App.

We would like to know if there will be any issues with the Heavy Forwarder sending data to the Indexer running version 7.

Of course, it is best to upgrade to the same version, but we would like to first check if there are any issues in this process.

 If you need more information about this Configuration, ask for me anytime.

Labels (1)
0 Karma
1 Solution

deepakc
Builder

Support would be something that comes to mind in this process.

As best practice is to use indexers with versions that are the same or higher than forwarder versions as you stated.

I have found that sometimes you can't always upgrade for whatever reason, and it will work, but then some features become deprecated or updated, and it may stop working or have some breaking changes. So, you take the risk. 

All 7.x Splunk Enterprise are now end of support, so should you encounter problems, you have no support. See below for Splunk End Of Life Support

https://www.splunk.com/en_us/legal/splunk-software-support-policy.html

View solution in original post

glc_slash_it
Path Finder

Having a HF with a higher version than the Indexers is not recommended by Splunk. Obviously you can do it, and if it's just between minor versions you may get away with it, but you will probably encounter problems that may seem "bugs" but are just compatibility problems.

Check the docs:

https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybetweenforwar...

 

I would suggest install a v7 HF as a quick fix, but then upgrade Indexers asap to current version as they are EOL.

deepakc
Builder

Support would be something that comes to mind in this process.

As best practice is to use indexers with versions that are the same or higher than forwarder versions as you stated.

I have found that sometimes you can't always upgrade for whatever reason, and it will work, but then some features become deprecated or updated, and it may stop working or have some breaking changes. So, you take the risk. 

All 7.x Splunk Enterprise are now end of support, so should you encounter problems, you have no support. See below for Splunk End Of Life Support

https://www.splunk.com/en_us/legal/splunk-software-support-policy.html

Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...