Splunk Enterprise Security

Does ES3.3 on Search-Head running 6.2.3 and indexers running on 6.2.2 work?

it7272
Engager

In a distributed Search environment, is it required to upgrade the Indexers to the latest version of Splunk or can we just upgrade the Search-head and deploy the TA, DA ,SA via the deployment server to 6.2.2 Indexers?

0 Karma

doksu
SplunkTrust
SplunkTrust

I think the simple answer is to upgrade your indexers. Upgrading the indexers from 6.2.2 to 6.2.3 wouldn't take a long time nor is it risky. As you're probably aware, best practice is to upgrade indexers before search heads. If you have some dire business requirement not to upgrade the indexers then it would be best to open a support ticket to raise the issue with the folks that would know why 6.2.3 is specifically required for ES 3.3.

0 Karma

it7272
Engager

Yes, I do see reference in the documentation. But what would be the impact, if any, by keeling the indexers at 6.2.2 and only upgrading the Search head. Do any of the ES3.3 applications that go on the indexers verify version on restart?

The end goal is to have everything at the latest version.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

My reading of the system requirements is that ES 3.3 requires Splunk Enterprise 6.2.3 on all search heads and indexers.

ChrisG
Splunk Employee
Splunk Employee

Your best option is to move to 6.2.3. I suggest looking at the release notes to see what bugs on the indexer tier might affect your deployment. If you don't find anything listed for 6.2.2 that concerns you, you can probably keep your indexers at 6.2.2 until you can upgrade.

That's a big "probably," though...there are a lot of unknowns and here on Answers we don't have very much information to work with.

To answer your last question: no, none of the add-ons that ship with Enterprise Security do anything to check versions.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...