Skip to main content
 
 
Splunk Lantern

Phase 4: Preparing for Splunk Cloud Platform migration

 

Remove top roadblocks

Provided below are key considerations and learnings from customer migrations Splunk has delivered in the past. The table contains two sections for your review: 

  • Blockers or showstoppers: All items on this list must be resolved before moving forward with migration execution.
  • Potential delay causing risks: These items may not be immediate blockers to start the migration. But, if not planned for early, these items can also cause significant delays for migrations. 

Blockers or showstoppers checklist

Blocker

Recommended resolution

Firewalls for data forwarding: Confirm there are NO firewall rules where you can’t forward your data. 

Reconfigure firewalls and resolve any issues where you can’t send all your data to Splunk Cloud Platform.

Firewalls for on-premises integrations: Confirm there are NO firewall rules where you can’t integrate on-premises services with Splunk Cloud Platform:

  • Including Adaptive Response Relay on a Heavy Forwarder for Enterprise Security, Enterprise Security & Phantom, and User Behavior Analytics.
  • Phantom can receive events from Splunk Cloud Platform directly if customer opens firewall rules.
  • Could be a blocker if Splunk SOAR or Splunk User Behavior Analytics sit in a DMZ and have no internet access.
  • Could be a blocker if you have to wait for the HF to be provisioned, configured and implemented mid-migration.
  • Adaptive Response Relay HF: 
    • Will need to connect to the Splunk Cloud Platform Search Head(s) AND Phantom.
    • Confirm connectivity - supply IP of Cloud ES SH if required to be added to F/W.
    • ARR only tested up to a couple of hundred alerts/notables per day. If there are more Phantom will need to connect directly to the Cloud ES SH(s).
  • Splunk SOAR:
    • Forwards via HTTP Event Collector - confirm Phantom can send to internet.
    • If unable to, implement a HF as Intermediate Forwarder, with HEC inputs, and the customer Splunk Cloud forwarder app.
    • Can search ES Cloud SH - submit JIRA requesting IP of Cloud ES SH, so you can add to your firewall rules.
    • Enabling the Splunk API port (8089) is now a self-service option. Please see this link for details.
  • Splunk User Behavior Analytics:
    • The host will require internet connectivity, to search the Splunk Cloud search head(s).
    • Additional SVCs for data sources searched - Please progress with the Account Manager the sizing requirements for UBA searching Splunk Cloud.

Forwarding certificates: Confirm there are no on-premises forwarder certificates not supported in Splunk Cloud Platform. 

  • The use of requireClientCert = true in server.conf is not supported in Splunk Cloud Platform.

This is an edge case for when you had the setting enabled, but its not supported in cloud.

The cloud forwarder app contains all the necessary configuration to securely forward to your Splunk Cloud Platform stack, along with the ability to whitelist 100 IP ranges of forwarders.

However, if it does not contain the ‘requireClientCert = true’ in server.conf, it is not supported in Splunk Cloud Platform. 

Extended change windows: A blocker if you need to upgrade your on-premises environment in order to migrate your data to cloud. GCP needs version 8.1 at minimum. 

If you have a n-month change window, ensure that the migration doesn’t start too soon and/or the migration activities dependent on the upgrade are aligned to your next feasible change cycle. 

Potential delay causing risks

Consideration

Recommended resolution

Time-intensive processes: Large-scale migrations can take 2-3 times longer than initially estimated, especially for environments with over 10TB daily ingestion.
 
Plan for a phased migration approach, prioritizing critical data sources first.

Plan for non compatible apps: Make a list of the full catalog of apps that are not compatible with Splunk Cloud Platform. Up to 30% of existing knowledge objects might need revision or removal during migration.

For any apps that have to be upgraded to a compatible version before migration: 

  • Ensure proper tasks & timing for this upgrade is incorporated into the migration plan.

If a third party app requires data pull from Splunk over some unsecure port, Splunk Cloud Platform will not allow this and may become a blocker during the migration if the app is mission critical for you. 

  • Consider workarounds for how you can accomplish the same tasks of that app.
  • You might be able to set up a heavy forwarder but this could delay the overall timeline by 2+ weeks.

Custom apps often require significant modification for cloud compatibility. Use the Splunk Cloud Vetting process as a guide for app readiness.

Forwarder versions: Ensure all forwarder versions are supported as per the Splunk Cloud Service Details. You cannot send data into Splunk Cloud Platform if you aren’t on the latest versions. This is a blocker for the final step of the cutover. 

You can start the migration, but you need to ensure this is happening in parallel and forwarders are fully upgraded before you get to the step of forwarding data. 

Splunk PS can help with the upgrades of these configurations through the migration engagement. 

In some cases, it may take you months to upgrade your forwarders. In this case, IFs could be implemented as a short term fix. 

Proper infrastructure and resourcing: Make sure you understand the resources needed for the migration to be successful and delivered on time (people, hardware, etc.). 

Assess any hardware or resources required for the migration.

  • Infrastructure example: a customer required additional hardware to copy their on-premises data to the cloud. Their existing environment and infrastructure could not handle the workload required to fork data to on-premises and cloud.
  • Resource issue example: A customer required additional hardware, They didn’t have people on site to receive the hardware and set it up, causing a long delay in our timeline. 

Compliance requirements: You may have compliance related considerations that may result in unique migration requirements.

Validate that there are no compliance requirements to consider for the migration. Consider the potential impact to the solution and timing of the migration. 

Post-migration adjustments: Expect a 2-4 week adjustment period for teams to adapt to new cloud-based workflows.
 
Implement a RACI matrix specifically for cloud operations to clarify new roles and responsibilities.
Learning curve: Plan for a 20-30% temporary decrease in team efficiency during the initial weeks post-migration.
 
Utilize Splunk's Cloud Migration Learning Path to accelerate team adaptation.

Getting ready

We highly encourage you to review the items below prior to starting your migrations:

Prepare Your Environment

  • Get your environment on the latest version for a faster, easier migration.
  • Ensure you are using the latest version of the Splunk platform on-premises. 
  • Ensure all forwarder versions are supported as listed under “Supported forwarder versions” here.

Comprehensive Usage Analysis

  • Use the Search Head Cluster Captain Statistics on the Monitoring Console to identify resource-intensive searches, especially those consuming more than 10% of available resources. Prioritize optimizing these searches for better performance during and after migration.

App and Add-on Inventory

  • List apps and dashboards that need to be migrated and those that can be decommissioned.
  • Create a compatibility matrix for all apps, noting those needing cloud-specific versions.
  • Leverage tools such as the Splunk App for Enterprise Security Content Update (if using Splunk ES) and the Splunk App for Content Packs for ITSI to ensure all apps and add-ons are up-to-date and compatible with Splunk Cloud Platform.
  • Find apps that must be upgraded to a compatible version before migration and upgrade them. You can determine if an app or an add-on is compatible with Splunk Cloud Platform by checking its corresponding page on Splunkbase. The app or add-on will indicate Splunk Cloud Platform and a list of compatible versions.
  • Leverage the Splunk App for Enterprise Security Content Update to check for outdated security content if you are using Splunk Enterprise Security.
  • Leverage the The Splunk App for Content Packs  for ITSI.

Data Volume and Retention Assessment

  • Use the Monitoring Console to review indexes and consider pre-migration data refinement. By reducing storage on unnecessary indexes, you can potentially lower your cloud storage retention needs by 15-25%.

Data and Search Hygiene

  • Leverage the app to identify unused knowledge objects. Unused apps and TAs take up resources unnecessarily. out-of-the-box saved searches, and accelerations.
  • Turn off unused scheduled searches, report acceleration, and data model acceleration.
  • You should aim to reduce knowledge objects by at least 20% before migration.
  • Consider optimizing the storage in Splunk for cost-effective long-term data retention. Make sure there is no production data in the default indexes. Evaluate your current index and source type structure. Consider consolidating similar data types to reduce complexity and improve search efficiency.
  • Fix all data quality issues for comprehensive data quality assessment.
  • Focus on normalizing timestamps and IP formats across source types.

Role-Based Access Control (RBAC) Planning and Implementation

  • Conduct a comprehensive audit of your existing roles, permissions, and access patterns in your on-premises Splunk environment. Pay special attention to custom roles or complex permission structures that might require adjustments during migration.
  • Simplify your RBAC structure in alignment with Splunk Cloud Platform’s capabilities. Consider implementing more granular access controls based on attributes like department or job function.
  • Review Splunk's guide on Configuring SAML SSO for Cloud. Plan for implementing authentication with tokens as part of your security enhancement.

Team Education and Change Management

  • Collaborate with Splunk PS to assess your team's current skills against cloud deployment requirements.
  • Use Splunk PS expertise to identify critical areas for upskilling, such as cloud security, performance optimization, and new feature utilization.
  • Collaborate with Splunk PS to create a tailored training program, combining Splunk Cloud-specific skills with broader cloud concepts.
  • Make use of Splunk PS “office hours” for hands-on learning and Q&A sessions.
  • Establish an internal knowledge base, with guidance from Splunk PS, to document cloud-specific procedures and migration lessons.
  • Integrate Splunk PS into your regular "Cloud Migration Standup" meetings.
  • Establish a dedicated communication channel (e.g. Slack, Microsoft Teams) that includes your Splunk PS contact for real-time updates and troubleshooting.

You can also use Splunk’s Cloud Migration Assessment App (SCMA). SCMA is a free app you install in your existing Splunk environment that helps you understand the tasks that will need to be carried out to perform a migration, and provides an optional export that can be sent to Splunk teams for additional review and scoping. Watch this video for more information on this.

At any time, feel free to check out the Splunk Cloud Platform documentation for more detailed information and reach out to your sales or customer success representative for assistance.

 

Migrating to Splunk Cloud Platform
The guided path below provides an overview of how to migrate to Splunk Cloud Platform. In addition, it contains recommendations on best practices, tutorials for getting started, and troubleshooting information for common situations.
Pages: 7