We are planning to migrate from a Splunk 4.3, single server environment to a version 5, scaled new installation (index cluster, etc). Any experiences or recommendation on this? Should we upgrade our existing instance to 5 FIRST, then migrate/expand to a new scaled installation - or install the new environment first, and then import/migrate existing data from the existing 4.3 environment?
First of all it will not matter in some cases. I would consider below points.
1) Existing implementation plan
2) Whether all the functionality are still available as old versions (Depreciated functionality)
3) Some forwarders doesn't work well even if it's newer version (tested on my own/check compatibility)
4) Upgrading means splunk will migrate settings to newer version of installation (i.e. almost a single step)
Hope you will figure out these things before you go for a full implementation
Same plans here, from 4.3.6 to the latest 5+.
I reckon upgrade the existing phys v.4 instance to v.5 first, then plan the expansion, plus we also consider going from phys to virtual when on v.5, have a fast storage now that supports the required I/O and capacity.