Hello, our indexers are currently running version 4.2.1 (98164). We are looking to deploy universal forwarders to our Windows servers. Can we install the latest universal forwarders? Or should we stick with version 4.2.1 (98164) when installing the fowarders? Not sure if there is a capatibility issue and wanted to check.
You sometimes cannot run a version of the forwarder that is newer than the indexer. In your case, the documentation indicates that you could update to the newest version of the forwarder (4.2.5) and have it sending data to an indexer version 4.2.1. I would, however, test this on a limited scale first.
However, you can run a version of the indexer (eg, 4.2.5) that is newer than the forwarder (eg, 4.1). This allows folks to update/upgrade their indexers first and then update the forwarders in a phased approach. This is very common.
The official documentation for this is
http://docs.splunk.com/Documentation/Splunk/4.2.1/Deploy/Enableareceiver
Note that I am showing the full URL here, because the Splunk version is embedded in the URL. So check the Version selector in the upper right of the documentation page, to be sure that you are looking at the version of the docs that matches your Splunk! And always check the docs!