Solved: Re: Can I intermix indexer versions when using dis...

Simeon · ‎04-23-2010

I have an installation of Splunk that consists of multiple indexers being searched by a distributed search head. Currently, these are all running 4.0.x and I want to upgrade to 4.1.x for some of the features. Can I run a 4.1.x search head with 4.0.x indexers?

Simeon · ‎04-23-2010

Splunk 4.1.x is capable of distributing searches to 4.0.x indexers. While this is not recommended or supported, you can get some of the 4.1.x features by running the search head on that version. 3.x indexers will not return results to any 4.x search head. Additionally, you cannot search a 4.1.x indexer from a 4.0.x search head.

Functional matrix:

4.1.x ->> 4.0.x
4.0.x ->> 4.0.x(-1)

View solution in original post

jiuan · ‎06-18-2010

I just tried that. My indexers are in 4.0 but my search head is in 4.1. Most of the queries and features work, except one so far. I believe the "join" command failed and didn't return any data. Thus, I rolled my search head back to 4.0 until I upgrade all my indexers to 4.1.

Simeon · ‎04-23-2010

Splunk 4.1.x is capable of distributing searches to 4.0.x indexers. While this is not recommended or supported, you can get some of the 4.1.x features by running the search head on that version. 3.x indexers will not return results to any 4.x search head. Additionally, you cannot search a 4.1.x indexer from a 4.0.x search head.

Functional matrix:

4.1.x ->> 4.0.x
4.0.x ->> 4.0.x(-1)

gkanapathy · ‎04-23-2010

i think you should make a matrix

Can I intermix indexer versions when using distributed search?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases