Skip to main content

 

Splunk Lantern

Phase 5: Migrating to the Splunk Cloud Platform

Things to Note Before You Start

  • Not all steps will apply to every migration. For example, you may not have the listed premium applications.

  • If you are performing a Splunk Cloud Migration that involves moving any historical data, you must get the assistance of Splunk Professional Services. The process to execute these steps can be difficult, time consuming, and/or have a different end result that may have limitations on further operations.

Milestones with Steps

Getting Data In

  1. Review Splunk Cloud Platform Data Ingestion Process:
    • Understand the different ingestion methods.
    • List required Splunk Add-Ons and Apps.
    • Account for capacity planning.
    • Account for retention planning.
  2. Review data source collection dependencies including and not necessarily limited to:
    • Network and access control requirements.
    • Firewall change policies.
    • Heavy Forwarder Apps and need for IDM.
    • HEC and HEC Firehose etc.
  3. Review best practice collection methodologies for applicable data sources:
    • Identify data source owners.
    • Document change request process.
    • Account for the anticipated volume of data sources.
  4. Design and validate the on-premise architecture for Splunk Cloud data collection including the following elements:
    • Forwarder tier.
    • Syslog collection via syslog-ng or rsyslog.
    • Deployment server(forwarder configuration).
    • Heavy Forwarders.

On-premise system configuration

  • Setup and test required forwarders for Splunk Cloud.
  • If using a syslog aggregator (rsyslog/syslog-ng):
    • Configuration of syslog inputs/filters.
    • Configure a dedicated universal forwarder for each of your syslog forwarding systems.
  • If you require an intermediate forwarding tier:
    • Configure the recommended number of heavy forwarders(s) to act as an intermediate forwarding tier.

Optimization review (current Splunk environment)

  • Audit indexing performance. 
    • Include: Index-time configurations, Indexer utilization and performance, Indexer, HF and IF queue status and Bucket distribution.
  • Audit search activity and usage patterns.
    • Include: Concurrent adhoc and real-time search activity and limits, Eventtype review, Search activity by user, Search execution times, Scheduled searches, Overrunning searches (long running searches), Skipped searches.
  • Audit data onboarding health.
    • Check for and document any issues with getting data in eg. bad timestamps, truncation etc.
  • Audit integrations with other systems.
    • Check for and document any issues with alerts that could impact migrating to Splunk Cloud Platform, ES assets and identities.

Data governance

  • Review data segmentation and security:
    • Indexing name and creation.
    • Sourcetype naming and creation.
    • Update index security based on user roles.
  • Review current indexing capacity and provide a capacity (retention) planning strategy.
    • Capacity planning: Time based retention: DDAA and DDSS for > 90 days etc.

Cloud authentication review

  • Configure SSO/SAML Login(Up to (3) user roles to group mappings).
  • Configure LDAP.
  • Configure Splunk auth ($SPLUNK_HOME/etc/passwd and users).
  • Log required username modifications.

Migration execution

  • Setup, Configure and Migrate Roles (Security and Authentication):
    • Review options for SplunkCloud authentication via Splunk Auth, LDAP or SAML.
    • Setup Roles to ensure access/authentication logical separation of data/indexers.
    • Sync roles between Environments.
    • Re-write Roles for UserName Format Changes.
    • Verify roles and users.
    • SAML - Re-Create default mapping to make users visible.
  • Migration Field Extractions and Extractions per Data Source:
    • Migrate Field Extractions (local props container) and Permissions (default.meta & local.meta).
    • Validate Field Extractions.
  • Migrate Search Artifacts:
    • Map User Name formats as required.
    • Harvest and migration Search Heads (savedsearch.conf).
    • Migrate dashboards (and user temp working).
    • Migrate alerts (and user temp working).
    • strong>Migrate private field extractions (local props container).
    • Validate Search Artifacts.
  • Premium Application Migrations - ES:
    • Data Model Tuning.
    • Migrate KVStore.
    • Verify KVStore.
  • Premium Application Migrations - ITSI:
    • Migrate KVStore.
    • Verify KVStore.
  • Prepare Indexers for Data Migration:
    • Remove Index Retention Settings.
    • Upgrade on-prem Indexers to latest Splunk SmartStore Supported Version.
  • Data Migration - Online S2 and Offline S3 Migration.
  • Setup, Configure and Migrate to new Endpoints.
  • Update Forwarders to push client configs to end points. 

In summary, the checklist is there to help guide you throughout your migration journey to ensure you’re thinking about the right areas. Double check items 1 through 4, and ensure that you have agreement with your internal and Splunk teams, and have resolved any outstanding questions prior to proceeding to steps 5 & 6. 

     

    • Was this article helpful?