Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can a heavy forwarder be higher version than indexers?

a_naoum
Path Finder
‎04-24-2019 05:07 AM

Hi,

I don't think that I found this kind of question before but in general I know the case for different versions between the indexers-search heads but my question is:
Can a heavy forwarder be higher version than indexers?

0 Karma
Reply

harsmarvania57
Ultra Champion
‎04-24-2019 05:56 AM

I would like to point out that question is for Heavy Forwarder, however Forwarder compatibility link which is provided in answer is for Comparability between Universal Forwarder and Splunk Indexer.

Heavy Forwarder is same as Splunk Indexer (Search Peer), only difference is Heavy Forwarder do not store data in general and pass parsed data to Indexer so based on my knowledge this is correct link from doc https://docs.splunk.com/Documentation/Splunk/7.2.6/Indexer/Systemrequirements#Compatibility_between_... for compatibility between Heavy Forwarder and Indexer, please correct me if I am wrong.

Reply

sanjeev543
Communicator
‎04-24-2019 05:17 AM

Technically yes, but there are limitations on what kind of Data forwarder can send, if you maintain higher version of HF.
Please refer to the below compatibility matrix.
https://docs.splunk.com/Documentation/Forwarder/7.2.6/Forwarder/Compatibilitybetweenforwardersandind...

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-24-2019 05:16 AM

Hi @a_naoum,

Indexer should be in higher version than the forwarder, please visit Forwarder Compatibility.

Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-24-2019 05:15 AM

@a_naoum

Check "Determine forwarder-indexer compatibility" section in below link.

https://docs.splunk.com/Documentation/Forwarder/7.2.6/Forwarder/Compatibilitybetweenforwardersandind...

Reply

a_naoum
Path Finder
‎04-26-2019 05:49 AM

As others mention is it applicable for HF?

Reply

pellegrini
Path Finder
‎05-26-2023 01:59 AM

Yes it is applicable for standard HF functionality as well. At least according to Docs. Some special cases where the HF is configured differently then just forward events it might be different.

https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybetweenforwar...

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-26-2023 02:19 AM

Hi

Officially this is not a supported combination. Indexer should/must be at higher level to fulfil Splunk requirements and get support if needed. Best practices is ensure that receiver is at least same level than sender.

Fortunately in most cases HFs and UFs can be higher level than IDX is. Normally this work well but time by time (when newer versions has some new features) this will cause some issues and even those didn't work together without additional changes on configuration.

r. Ismo

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...