Phase 1: Splunk Cloud Platform migration overview

Foundations: Understanding Splunk Cloud

1. A shift in focus with Splunk Cloud Platform SaaS

If you’re managing Splunk Enterprise deployed on-premises, you are responsible for a lot of platform monitoring and management tasks. These may include management of infrastructure, OS, network, backups, capacity, applications, app installs, and upgrades.

After you move to Splunk Cloud Platform, the majority of those tasks are carried out by Splunk for you, leaving you more time to focus on higher-value tasks. Higher value tasks may include data onboarding and governance, user onboarding and administration, workload performance and management. Your focus shifts from managing the Splunk platform to managing your business outcomes and value you get from the Splunk platform.

2. Understanding the key differences between Splunk Enterprise and Splunk Cloud Platform

Splunk Cloud Platform and Splunk Enterprise have significant feature overlap (>95%). However, some features are implemented differently, and how you interact with Splunk Cloud Platform can be a bit different. The biggest user experience difference is that you won’t work on the backend, as Splunk will do that for you. Instead, you’ll be working from the Splunk User Interface, and the Support Portal. You can review “Differences between Splunk Cloud Platform and Splunk Enterprise” section of Splunk Cloud Platform Service Details to understand these differences.

3. Splunk Cloud Platform Services

 

Manage your Splunk Cloud Platform environment

1. Day in the life

This example list of activities gives a sense of your typical day-to-day activities* when you’re in Splunk Cloud Platform:

• Done via Splunk Cloud Platform Search Head (*modular inputs, HEC tokens, UF package)
  • Create and manage indexes
  • Manage data retention
  • Send events/data to Splunk Cloud Platform*
  • Define and configure parsing (props and transforms)
  • Manage knowledge objects
  • Install and manage apps (vetted public and private apps)
  • Create and manage access (users and roles)
  • Manage searches
  • Monitor cloud stack via CMC
  • Integrate with your identity system (LDAP/SAML, should be done as part of migration)
• Done at source - on-prem components
  • Managed forwarders and events/data sent to Splunk Cloud Platform
  • Define inputs and configure parsing (on-prem parsing or masking)
  • Problem isolation (on-prem)

2. Apps and add-ons

Apps and Add-ons are an important way to add features and functionality to the Splunk Cloud Platform. To ensure security and minimize performance issues, only vetted and compatible apps can run on the Splunk Cloud Platform.

You can check the Splunkbase page for each app/add-on to see if it is approved for Splunk Cloud Platform. For an explanation of what different support levels mean, go here.

• Installing Apps - Self service vs Assisted install

Follow the instructions for installing apps, noting these processes will cover both types of app installs: Self-Service Install Apps (SSAI) and Assisted Install Apps.

Classic experience

Victoria experience

In your cloud stack, navigate to Apps > Manage Apps > Install Apps. See the image below. Splunk Cloud Platform Admins and defined users can install apps on your ad-hoc search head. You can NOT self install apps on premium search heads or the Inputs Data Manager (IDM). To install apps on any of these, or to install an app requiring assisted installation, or to install multiple apps at once, open a support ticket from the Support Portal. Not all apps are search head clusters (SHC) compatible.

In your cloud stack, navigate to Apps > Manage Apps > Install Apps. See the image below. Splunkbase Apps have one of the following statuses: Install: The app can be self-service installed (click install and it will be deployed). Request Install: The app is compatible with your version of Splunk Cloud Platform, but requires additional pre and post installation operations that will be done by Splunk Cloud Operations. Not Yet Available: This indicates that the has not yet been vetted for Splunk Cloud Platform and/or is not supported on the version of Splunk Cloud Platform your stack is currently on.

• Private apps

Apps you create to support your business needs are called custom or private apps. These apps can also be self-service installed on Splunk Cloud Platform.

Classic Experience	Victoria Experience
See the Uploaded Apps screen:	See the Install App from File page:

• App vetting

App vetting helps ensure the security, safety, and compliance of applications for our customers. You should factor in some lead time in your plan to vet and validate any net new apps after your migration is complete.

Step 1: Identify apps that have not been Splunk Cloud Platform approved	Step 2: Submit apps for installation	Step 3: Submitted apps are vetted by Splunk	Step 4: Vetted apps are installed by Splunk
Apps or add-ons that have not been Splunk Cloud Platform approved must be vetted. This includes all private/custom apps.	Submitting apps for installation as shown previously for a classic stack will automatically vet the app. If app passes, then the app can be installed. If the app does not pass, then the app must be updated until it does pass before installation. You will receive an report detailing areas to remediate.	Criteria for passing app vetting are shown on Splunk Dev. Checks performed are indicated with an “x” in the Cloud column. You can validate apps in advance using Splunk’s AppInspect API. The CLI tool can perform static checks during app development, but the app will still need to be validated via the API. Splunk Dev also outlines the app vetting process.	Starting with Splunk Cloud Platform version 8.1.2012, you can now install private apps w/o requiring manual vetting checks. Must be allowed by your Splunk Cloud Platform administrator. Must acknowledge the Splunk General Terms . Private/custom apps that do not pass vetting are outside the scope of the Splunk Cloud Platform subscription agreement.

• Updating apps

You are responsible for ensuring that installed Apps and Add-ons are on supported versions for Splunk Cloud Platform.

Classic Experience	Victoria Experience
Recommend reviewing Apps via Manage Apps screen once per quarter to ensure on optimal version for Splunk Cloud Platform Premium apps or any app on a premium SH require a Support Ticket to be updated.	Recommend reviewing Apps via Manage Apps screen once per quarter to ensure on optimal version for Splunk Cloud Platform. Premium apps require a Support Ticket to be updated.

3. Getting data in/Forwarding data

There are several ways to get data into Splunk Cloud Platform, many of which are similar to your existing on-premises deployments. Please take a moment to review the key differences and how you can best prepare for a seamless migration to Splunk Cloud Platform. You can also take this as an opportunity to address some common challenges we've seen, such as data parsing issues, delayed ingest through pipelines, line break issues, forwarder-indexer affinity, HEC token applied to a IP not on allow list, and no index assigned for source. Check out Transitioning to Splunk Cloud for more information on addressing these challenges.

Key references:

• Overview of data collection, ingestion, and retention in Splunk Cloud Platform.
• Getting started with Splunk Cloud Platform page includes links to many GDI related topics, including Introduction to getting data into Splunk Cloud Platform.
• Getting started with Splunk Cloud Platform includes info about forwarders, which largely function the same. The key differences are:
  • Installing the Splunk Cloud Platform UF Credentials Package - allows forwarders to connect to Splunk Cloud Platform.
  • Allowed versions of Splunk Forwarders to connect to Splunk Cloud Platform.
• HTTP Event Collector data ingestion and setting up HEC tokens.
• Syslog must be sent via intermediate tier: SC4S app or forwarder.
• Modular / Scripted Inputs - data inputs, packaged as Splunk apps and add-ons.
  • For the Classic experience, the Inputs Data Manager (IDM) is used: a hosted solution for Splunk Cloud Platform to these type of inputs that you want to send directly to Splunk Cloud.
  • With the Victoria experience, these run directly on your search head(s), and are governed by workload management.

4. Monitoring your deployment - CMC

The Cloud Monitoring Console (CMC) is a tool to help manage your Splunk Cloud Platform environment. It enables Splunk Cloud Platform administrators to view information about the status of your Splunk Cloud Platform deployment.

CMC provides visibility into areas such as data ingestion and data quality, forwarder connections, indexing, license usage, upgrade readiness, and so on.

A few key highlights to keep in mind:

• Every Splunk Cloud Platform deployment has the CMC.
• CMC is managed by the CMC team and is updated frequently.
• You do not need to make a request to upgrade this app. Everyone is on the latest version of this app at all times.
• For additional details, reference the Intro to CMC page or our Cloud Monitoring Tips & Tricks content from .conf20.
• Do not make changes to CMC. If you do, it will not automatically receive version updates.

 

 

5. Release management and upgrades

• Upgrades and maintenance

Splunk Cloud Platform provides a highly available, reliable and performant service. To maintain and improve it, Splunk Cloud Platform undergoes periodic upgrades and maintenance cycles.

• Upgrades vs Scheduled Maintenance vs Emergency Maintenance

  • Upgrades are updates of the Splunk Cloud Platform software to the latest build.

  • Maintenances are updates of the supporting infrastructure or operating system environment.

  • Maintenances are not required on a regular basis, but they do occur periodically.

  • Maintenances are typically scheduled in advance. Emergency Maintenances are not and are only performed when a critical situation occurs.

• When do we upgrade? Splunk Cloud Platform releases upgrades every 4-6 weeks. Maintenances are separate. Although uncommon, you could have an upgrade and a maintenance in the same month.

• Why do we upgrade? Provide latest features and continual optimization of the Splunk Cloud Platform service.

• What is the impact? Typically upgrades do not significantly impact the ability to ingest or index data, but search heads may be intermittently unavailable and it may impact your search performance. Refer to the specific notification for details.

• Splunk Cloud Platform Service Maintenance Policy - Outlines what to expect for scheduled or emergency maintenance and for upgrade events in Splunk Cloud Platform.

• Release management communications

Splunk proactively communicates to customers about:

• Updates - including release information

  • This includes event communication - approximately 2 weeks in advance - about what to expect during the event (service or availability impact).

• Routine and emergency maintenance, such as critical patching or service outages

  • For routine maintenance, this includes event communication - approximately 2 weeks in advance - about what to expect during the event (service or availability impact)..

• Proactive issue-solutioning (notifications from our Cloud Ops teams).

Communications are via email. For these communications, Splunk uses the designated “Operational Contacts” for each environment/stack.

• We recommend that “operational contacts” be a shared mailbox or external distribution list .

  • Best Practice: use a different distribution list for each stack. Avoid de-duplication.

  • Check your spam filters! Look for notifications from support@splunk.com.

• Make sure your operational contacts are properly identified.

  • If you’re the Portal Admin for your Cloud Entitlement, login to the Support Portal. Under the Splunk Cloud Platform heading, select My Operational Contacts. You can also add and remove contacts there. Your CSM may also be able to help.

• Upgrades: Your responsibilities

Prior to an upgrade or maintenance:

• Review the notifications for expected impact.
• Notify users, if applicable.
• Perform any prescribed prechecks.
• Check third-party apps for compatibility - see Splunkbase.
• Check for any forwarder compatibility issues. Upgrade as needed.

Post upgrade or maintenance:

• Confirm system operation.
• Confirm Reports, Alerts and Dashboards functioning as planned.
• Review data hygiene.

• Maintenance Windows and Change Freezes

Maintenance Windows (MW): Time frame when an upgrade or maintenance occurs.

• Identified in communication about the upgrade / maintenance.

• For upgrades, Splunk makes the best effort to keep consistent timing for MW and keep duration to two hours or less.

• Contact your account team (Assigned TSAM or CSM) if you’d like to request a change to your MW.

Change Freezes: No upgrades or routine maintenances (unless an emergency) occur.

• Holiday Freeze: Customers in Food & Beverage, Manufacturing, Media & Entertainment, Online Retail, Online Services, Recreation, and Retail industries will automatically be placed on a freeze from mid-November to mid-January.

• One-off Change Freeze: Per customer request. MUST BE APPROVED.

• Contact your account team (Assigned TSAM or CSM) to determine if you’re part of once or to request a freeze.

Work with Splunk Support

What remains the same?

What’s different?

Splunk Support is still your first line of defense for product related errors. Contact support either via the Support Portal or calling into the Service Desk. Response times for technical issues are based on your support level (Base, Standard or Premium) and issue severity (P1, P2, P3, P4) as shown in the Support Programs. You’ll still need to identify the proper Entitlement. Communications: Support will reach out to the case owner or those included on Support email threads. Escalations: If you’re experiencing a persistent or critical issue, escalate your case. Call in to the support line (1-855-775-8657) to escalate your case. Make sure you have: What is the current status of your instance? What is the current impact to your organization? Which components need to be addressed immediately? Always have your Entitlement information handy! Enhancement requests are still submitted via Splunk Ideas.

Support is also where you go when: Your Cloud instance is down/unavailable or not functioning properly. Changing configurations that you can’t perform yourself such as indexed real-time search, and enabling AWS Kinesis Data Firehose data to be received. App installs should be mostly self-service, especially for Victoria Experience, with the following caveats: Vetting status of apps(s). Compatibility of the app per Splunkbase for Splunk Cloud Platform. Contact your Account Team / CSM for resizing, license changes or purchases.

• Support and app installs

Customers can install Splunkbase Apps and Custom/Private Cloud vetted Apps on their own using SSAI (Self Service App Installation). The different Splunk Cloud Platform experiences (Classic and Victoria) have different app install behaviors. Open a Support Ticket for App Install only if it cannot be installed via SSAI.

Classic experience

Victoria experience

SSAI many Splunkbase Apps that are cloud ready except when: The app indicates “Request Install” in Splunkbase. Installing an app onto a 'Premium' Search Head (SH) - i.e. ITSI, ES, VMware. Installing an App onto the IDM (Inputs Data Manager) node. Tips when raising a Cloud App Request: Same stack - same MW, one ‘Cloud App Request’ will suffice. Limit each ‘Cloud App Request’ with 5 Apps. Ensure ‘Description’ field includes App location, SH install location, App Number, Splunkbase link, Target App version, Maintenance Window.

SSAI almost all Splunkbase Apps that are Splunk Cloud Platform ready, except when the app indicates “Request Install” in Splunkbase Includes installing on 'Premium' Search Head (SH) - e.g. ITSI, ES. Includes installing modular inputs on the search head. No more IDM nodes.