I've read all the compatibility matrix docs, but I'm not sure how my situation fits into it. Specifically compatibility when sending data through intermediate Heavy Forwarders.
Here's my current environment, and everything is working fine:
UF's (6.3.x - 7.x) ---> Intermediate HF's (7.3.6) ---> Indexer cluster (7.3.6)
I need to point my HF's at newly built 8.x indexers (not upgrading existing indexers - these are new indexers at a new location). Will I have a problem?
I know that 6.x UFs cant send to 8.x indexers, but am I getting around the problem with a 7.x Intermediate HF? And yes, ideally I would like all UFs to be upgraded, but this situation is temporary.
Yes you will be fine using the 7.3.x intermediate HF's. But remember that you might have to change some SSL related settings on them if you have those 6.x UF's sending events over S2S using SSL see the docs here https://docs.splunk.com/Documentation/Forwarder/7.3.0/Forwarder/Compatibilitybetweenforwardersandind...
Hope that helps ...
View solution in original post