Getting Data In

Benefits to an upgrade from 4.3.2 to 4.3.3

asarolkar
Builder

Hi guys:

In our current PROD architecture we have various OS flavors of the 4.3.2 Universal forwarders pushing data to ONE 4.3.2 Splunk Indexer

We are anticipating an upgrade to 4.3.3 and I am doing a analysis on pros/cons of the actual upgrade. There are 3 questions to which I am seeking answers to. This is not about the "right" way to do this - but rather evaluating the overall benefit of an update and then implementing that change in line with known best practices :

i) There are several combination of upgrade protocols that can be used.


First of which
is to upgrade BOTH the indexer and the forwarders to 4.3.3

**
An alternative** is to upgrade just the indexer to 4.3.3 and keep forwarders at 4.3.2

Would you favor one over the other ?



ii) Considering the second approach described earlier, what problems could one face with having Splunk components that talk to each other every second in a system architecture with different versions (some are 4.3.3 others are 4.3.2 in this case).

I have done some research and my findings there should really NOT be any major issues with this approach. Anybody strongly agree/disagree with that ? The indexer is backward compatible
with the forwarers and this should not be a big deal.

Note that folks who have done something similar for 4.2.X to 4.3.X have not seen any major issues - the findings in this post here more than likely also apply to an upgrade between two versions of 4.3.X

http://splunk-base.splunk.com/answers/38117/updating-to-splunk-43-with-existing-42-universal-forward...






ii) Advantages of upgrading to 4.3.3

What advantages do heavy users of Splunk get in terms of functionality/efficiency for an upgrade from 4.3.2 to 4.3.3 ?

There is very little material out there and I was wondering if there was any empirical evidence/known pros to performing this upgrade.

Thanks

0 Karma

kallu
Communicator

Reading the release notes of 4.3.3 it seems it is just a bug-fix release

http://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/4.3.3

If you don't have any of these issues, then there is not much you will gain with upgrade. But it might be a good idea to upgrade your indexers anyway to avoid some of known bugs in future. I wouldn't worry too much about forwarders as there wasn't (m)any forwarder specific fixes included in 4.3.3.

Drainy
Champion

Its exactly the same as you are talking about upgrading to 4.3.3. The only major difference is if you upgraded from 4.2.x to a 4.3.x. Either way an upgrade off 4.3.1 is a good idea

kallu
Communicator

Yep, it's just a longer list of bug fixes you're missing. My understanding is x.y.z -releases have only bug fixes. New features are introduced in x.y -releases.

0 Karma

asarolkar
Builder

Hi guys:

If we were to consider between 4.3.1 and 4.3.3 - is it still pretty much the same picture when we compare 4.3.2 and 4.3.3 ?

0 Karma

Drainy
Champion

Yeah, this is a very high level analysis of a fairly small maintenance release. I wouldn't panic too much if the bugs in the fix list don't affect you 🙂 4.3.2 on the other hand 4.3.2/1 had some fairly important bug fixes and hopefully no one is still on 4.3.

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...