Flock of birds flying in arrow shape

A Splunk Engineer’s Guide to Migration

Last Updated on December 1, 2020

Part 1: Core Splunk Migrations

As a Splunk Professional Services consultant I have the good fortune of working with really smart and experienced engineers, and the combination of smart and experienced means they’re trying to be as ready as they can for what comes next.

In this blog, we’ll discuss how to prepare for a Splunk migration.  We will cover the basics here; if you are migrating a premium app such as ES or ITSI, please stay tuned for Part 2.

Migrating Data from On-Premises Splunk to Splunk Cloud.

Moving to Splunk Cloud is increasingly common.  I’m going to cover this one first not because the migration itself is quick and easy, but because what you will need to do on the on-premisis side is simple to describe.  If you plan to migrate indexed data to Splunk Cloud, you will absolutely need Professional Services support.  Unlike other migrations, Aditum can not provide professional services for the migration itself; it must be done through Splunk Professional Services.  Also be sure to coordinate with your business owner for Splunk Cloud, as there may be additional storage costs.  Plan to repoint your forwarders to Splunk Cloud, which will also require installing your Splunk Cloud credentials file on your forwarders.

You will need to be prepared to upgrade your on-premises Splunk environment to the same version as your Splunk Cloud stack.  When the migration itself takes place, you will need to install a special migration app on your indexers, and you may need to adjust some other server and indexing settings, so be sure you have that level of access to your indexers.  Splunk Cloud processes change frequently, so be sure to coordinate with Professional Services before upgrading.  Last but not least, the migration is a high-bandwidth activity, so be sure to coordinate this with your networking team.

Migrating on-premises apps to Splunk Cloud will require some time to review.  Any apps deployed to Splunk Cloud require vetting before deployment to your environment.  This means passing through a process called Appinspect, and customizations to apps otherwise approved for Splunk Cloud may be rejected.  Consider whether your custom app or the customized parts of a Splunkbase app really need to be deployed to your Cloud search heads or indexers at all.  Some data parsing functions might be moved to an on-premises heavy forwarder, as an example.

Migrating Splunk Clustered Data Indexes to New Hardware.

This is relatively simple, with the factor being the amount of data to be moved.  The new indexer or indexers need to be added into the cluster, and if old indexers are being decommissioned, they can then be gradually removed from the cluster and data buckets rebalanced across the cluster.  You will want to have your new hardware in place and make sure you have read/write access to your indexers and indexer cluster master; network connectivity between your old and new indexers, and to your new indexers from your search heads and forwarders.  Again, this will be a network-intensive activity.  Plan to point your forwarders to the new hardware, which is likely controlled through the Deployment Server or your configuration management tool.

Want to Know More? Contact Aditum’s Splunk Experts.

“We have a demanding development environment and Aditum has delivered top notch support.”

– Large Health Insurance Provider

Aditum’s Splunk Architects, Splunk Administrators, Splunk Developers and Information Security consultants deliver outstanding results to companies like yours every day. From initial installation to managed services, our experts can help you deliver success.

Migrating Splunk from a Single-Site Cluster to a Multisite Cluster.

Assuming you wish to convert your legacy single-site clusters’ buckets to multisite, this is a slightly more complicated version of what you would do to add new indexers into a single-site cluster.  You will need read/write access to your indexers and cluster master; network connectivity between indexers on both sites and from search heads and forwarders to your indexers.  Migrating legacy data to a multisite cluster will require moving copies of all of your existing data across the wire to the new site, so be sure to coordinate this with your networking team; if a cloud hosting provider such as AWS or GCP is involved, remember that this will incur extra bandwidth charges.  You may wish to load-balance forwarder traffic between two sites, too.  If you plan to have search heads at both sites, you may need to set site affinity for the search heads as well.

Migrating from a Standalone Splunk Instance to a Distributed Splunk Environment.

Your team has a decision to make if you are preparing to move from everything on one Splunk server to a distributed environment, with at least a search head; a cluster master, and two indexers in a cluster.  If you just want to cluster data from D-Day forward, this is a fairly simple move.  If you want to migrate legacy standalone data and have it replicated across the cluster, you will need Professional Services help; by all means, reach out to us at Aditum.

From Planning to Optimization, Aditum can help. 

You know Splunk can be a major contributor to your organization’s success.  How do you make sure you’re getting the value from your Splunk investment?

Aditum’s Success Plan for Splunk gives you montly access to senior consultants, who will work with you as you optimize your organization’s Splunk usage and plan for expansion and migration.  It’s like having an experienced co-pilot to help you navigate your Splunk journey.

Aditum’s Splunk Managed Services takes the burden of administering Splunk off your hands.  We’ll take care of the details and give you a partner in driving Splunk adoption and expansion in your organization.

Want to know more?  Give us a call at (727) 240-3603 or drop us an email.

Chris Selvig
Share this Article