I recently upgraded all of my Universal Forwarders (UF) to 7.0.3 from various version levels (some 6.3.3, some were 7.x).
On one of the forwarders (AIX) when I run the command;
`./splunk version`
I get; "Splunk Universal Forwarder 7.0.3"
But a search to list forwarder versions on the indexer lists a different version for the same host;
`index=_internal sourcetype=splunkd group=tcpin_connections | stats first(version) by hostname`
I get; "Version 7.0.2"
Why are the versions being listed differently? After the upgrade, this is the only UF not listing 7.0.3 at the indexer.
↧