Splunk 6 search-head on top of a Splunk 5?

a212830 · ‎10-08-2013

Hi,

Is it possible to install a net new Splunk 6 search-head, and point it at a Splunk 5 infrastructure (indexers, forwarders...)? I'm interested in getting access to the new reporting capabilities ASAP.

a212830 · ‎11-14-2013

Understood. Thanks.

gkanapathy · ‎10-10-2013

let's be clear though that there will be plenty of capabilities that simply won't work. for example, you won't be able to accelerate data models. the 5.0 indexers simply won't know how to do that.

halr9000 · ‎10-10-2013

Congratulations! We chose this question to be answered live on the Splunktalk podcast!

sdaniels · ‎10-08-2013

Yes, this is not a problem. Check the doc link below.

http://docs.splunk.com/Documentation/Splunk/6.0/DistSearch/Versioncompatibility

araitz · ‎10-08-2013

One BIG caveat here, though: a Splunk 6 search head will by default ask its distributed search peers to generate a remote timeline. This isn't a problem with 6.x indexers, but 5.x indexers won't know how to generate this and as a result searches might slow down dramatically.

The workaround is to set the following in limits.conf on the search head and restart Splunk:

[search]
remote_timeline_fetchall = false

This can be removed when all indexers are upgraded to 6.x.

gfuente · ‎05-26-2015

Hello

Is it absolutely not compatible to use a v6 SH with v5 cluster peers? Anyone tried it?

thanks

Splunk 6 search-head on top of a Splunk 5?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases