Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Distributed Search: Why can't I connect a Splunk 6.2 search head to 4.3 indexers?

hartfoml
Motivator
‎12-02-2014 07:13 AM

I created a new development search head from a different splunk instances. I changed the name of the new dev server in the server.conf and setup distributed search to my 6.x and 4.x indexers. Later I noticed that the log files were still showing up with the first dev server as the host name. I noticed the host name was different in the GUI under splunk>settings>general settings>server settings

I changed the "Splunk Server Name" and the "Default host name" and restarted splunkd.

This broke the distributed search. I setup the distributed search easily to the 6.x servers but can not reconnect to the 4.x systems. I removed the dev search head folder from "$splunk/etc/auth/distServerKeys" but still can not reconnect.

Any ideas would be helpful.

Please don't judge about being on 4.3. I'm working as fast as the company will allow to move to 6.x

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hartfoml
Motivator
‎01-08-2015 11:22 AM

This seems to have something to do with the 6.2 version but no one can tell me what. I did find a workaround but would not recommend this to anyone.

I was able to down grade my search head to 6.1.x and from there I was able to connect the 4.x indexers as well as the 6.x indexers. After connecting all the indexers I was able to upgrade to 6.2 and keep the connections. We will have all systems at 6.2 soon so this will not be an issue. If your standing up a 6.2 system and want to connect to your 4.x indexers you can not do it. you will have to stand up the Search head as 6.1.X or lower then connect the indexers then upgrade to 6.2. OR just upgrade the indexers to 6.2 🙂

View solution in original post

Reply
Solved! Jump to solution

jcunanan26
New Member
‎02-20-2015 12:06 AM

Hello there guys,
I'm able to run a 6.0 search head to 4.3.3 peers and data displays fine for me now.

Though 6.2 search head upgrade -- I haven't tried that out yet and I'm still testing. update you in a while 😉

0 Karma
Reply
Solved! Jump to solution
Solution

hartfoml
Motivator
‎01-08-2015 11:22 AM

This seems to have something to do with the 6.2 version but no one can tell me what. I did find a workaround but would not recommend this to anyone.

I was able to down grade my search head to 6.1.x and from there I was able to connect the 4.x indexers as well as the 6.x indexers. After connecting all the indexers I was able to upgrade to 6.2 and keep the connections. We will have all systems at 6.2 soon so this will not be an issue. If your standing up a 6.2 system and want to connect to your 4.x indexers you can not do it. you will have to stand up the Search head as 6.1.X or lower then connect the indexers then upgrade to 6.2. OR just upgrade the indexers to 6.2 🙂

Reply
Solved! Jump to solution

Muryoutaisuu
Communicator
‎12-03-2014 07:27 AM

Hi

I couldn't find any up-to-date (v 6.2) documentation, but I found this:
http://docs.splunk.com/Documentation/Splunk/6.1.5/DistSearch/Versioncompatibility

It says:

A 6.x search head is compatible with a 5.x search peer.

As it doesn't mention 4.x search peers, they might be out of version compatibility. But I don't know for sure.

Edit:

Actually found the new documentation: http://docs.splunk.com/Documentation/Splunk/6.2.0/DistSearch/Distsearchsystemrequirements

But still doesn't mention 4.x search peers.

Reply
Solved! Jump to solution

hartfoml
Motivator
‎12-03-2014 11:04 AM

Thanks for putting the links to the documents for me.

As I stated above this was working and then when I made the change it stopped working. I have other 6.2 search heads and they are working with the 4.3 indexers as well as the 6.2 indexers. I know that they are compatible I just don't know why this one stopped working. I sent a diag to support so they can look at the logs.

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎12-03-2014 05:37 AM

Thanks @ppablo for editing this question. I see the new tags but I couldn't see what else needed changing. Anyway I can see that more than 50 splunkers have looked at the question but no-one had any suggestions yet. Thanks for the help

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎12-03-2014 10:42 AM

Hi @hartfoml
No problem, it didn't need much editing really, just the tags. This is a useful question as I'm sure many others are in your situation with backwards compatibility issues. I was reading the 6.2 documentation that @Muryoutaisuu provided in their answer below and read this line directly from that page:

"6.x search heads are compatible with 6.x and 5.x search peers."

Since there's no mention of 4.x search peers in that line, I'm assuming that's what your issue is, but hopefully the support ticket you opened will get you a more concrete answer. Once you get your case resolved, it'd be great if you can share that information on this post for others to see 🙂

Patrick

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...