Splunk Enterprise Security

Does ES3.3 on Search-Head running 6.2.3 and indexers running on 6.2.2 work?

it7272
Engager

In a distributed Search environment, is it required to upgrade the Indexers to the latest version of Splunk or can we just upgrade the Search-head and deploy the TA, DA ,SA via the deployment server to 6.2.2 Indexers?

0 Karma

doksu
SplunkTrust
SplunkTrust

I think the simple answer is to upgrade your indexers. Upgrading the indexers from 6.2.2 to 6.2.3 wouldn't take a long time nor is it risky. As you're probably aware, best practice is to upgrade indexers before search heads. If you have some dire business requirement not to upgrade the indexers then it would be best to open a support ticket to raise the issue with the folks that would know why 6.2.3 is specifically required for ES 3.3.

0 Karma

it7272
Engager

Yes, I do see reference in the documentation. But what would be the impact, if any, by keeling the indexers at 6.2.2 and only upgrading the Search head. Do any of the ES3.3 applications that go on the indexers verify version on restart?

The end goal is to have everything at the latest version.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

My reading of the system requirements is that ES 3.3 requires Splunk Enterprise 6.2.3 on all search heads and indexers.

ChrisG
Splunk Employee
Splunk Employee

Your best option is to move to 6.2.3. I suggest looking at the release notes to see what bugs on the indexer tier might affect your deployment. If you don't find anything listed for 6.2.2 that concerns you, you can probably keep your indexers at 6.2.2 until you can upgrade.

That's a big "probably," though...there are a lot of unknowns and here on Answers we don't have very much information to work with.

To answer your last question: no, none of the add-ons that ship with Enterprise Security do anything to check versions.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...