Birds flying in an arrow formation into the sunset

A Splunk Engineer’s Guide to Migration

Part 1: Core Splunk Migrations

As Splunk Professional Services consultants, we have the good fortune of working with really smart and experienced engineers. The combination of smart and experienced means that they’re trying to be as ready as they can for what may come next. In this guide, we’ll discuss how to prepare for Splunk migrating.

We will go over just the basics here. If you are migrating a premium app such as ES or ITSI, please stay tuned for Part 2.

Migrating Data From On-Premises Splunk to Splunk Cloud

Moving to Splunk Cloud is increasingly common, so I’m going to cover this first. It’s not because the migration itself is quick and easy. It’s also because what you will need to do on the on-premises side is simple to describe. If you plan to migrate indexed data to Splunk Cloud, you’ll absolutely need Professional Services support.  Unlike other migrations, SP6 cannot provide professional services for the migration itself; it must be done through Splunk Professional Services.  Also, be sure to coordinate with your business owner for Splunk Cloud, as there may be additional storage costs.  Plan to repoint your forwarders to Splunk Cloud, which will also require installing your Splunk Cloud credentials file on your forwarders.

Next, you’ll need to prepare to upgrade your on-premises Splunk environment to the same version as your Splunk Cloud stack. When the migration takes place, you will need to install a special migration app on your indexers. You may need to adjust some other server and indexing settings, so be sure you have that level of access to your indexers.  

Splunk Cloud processes change frequently, so be sure to coordinate with Professional Services before upgrading.  

Last, but not least, the migration is a high-bandwidth activity. Be sure to coordinate with your networking team.

Migrating on-premises apps to Splunk Cloud will require some time to review.  Any apps deployed to Splunk Cloud require vetting before deployment to your environment.  This means passing through a process called Appinspect, and customizations to apps otherwise approved for Splunk Cloud may be rejected.  Consider whether your custom app or the customized parts of a Splunkbase app really need to be deployed to your Cloud search heads or indexers at all.  Some data parsing functions might be moved to an on-premises heavy forwarder, for instance.

Migrating Splunk Clustered Data Indexes to New Hardware

This is relatively simple. The  factor is the amount of data to be moved. The new indexer or indexers need to be added into the cluster. If old indexers are being decommissioned, they can then be gradually removed from the cluster, and the data buckets rebalanced across the cluster.  You will want to have your new hardware in place and make sure you have read/write access to your indexers and indexer cluster master; network connectivity between your old and new indexers, and to your new indexers from your search heads and forwarders.  Again, this will be a network-intensive activity. Plan to point your forwarders to the new hardware, which is likely controlled through the Deployment Server, or your configuration management tool.

Migrating Splunk From a Single-Site Cluster to a Multisite Cluster

This is a slightly more complicated version of what you would do to add new indexers into a single-site cluster.  You will need read/write access to your indexers and cluster master; network connectivity between indexers on both sites, and from search heads and forwarders to your indexers.  Migrating legacy data to a multisite cluster will require moving copies of all of your existing data across the wire to the new site. Therefore, be sure to coordinate with your networking team. If a cloud hosting provider such as AWS or GCP is involved, remember  this will incur extra bandwidth charges.  You may wish to load-balance forwarder traffic between two sites, too.  If you plan to have search heads at both sites, you may need to set site affinity for the search heads, as well.

Migrating From a Standalone Splunk Instance to a Distributed Splunk Environment

Your team must make a decision if you are preparing to move from everything on one Splunk server to a distributed environment with at least a search head; a cluster master, and two indexers in a cluster.  If you just want to cluster data from D-Day forward, this is a fairly simple move.  However, if you want to migrate legacy standalone data and have it replicated across the cluster, you will need Professional Services help. 

By all means, reach out to us at SP6.

From Planning to Optimization, SP6 Can Help 

We hope you found this migration guide helpful.

You know Splunk can be a major contributor to your organization’s success.  But how do you make sure you’re getting the value from your Splunk investment?

SP6’s Success Plan for Splunk gives you monthly access to senior consultants, who will work with you as you optimize your organization’s Splunk usage and plan for expansion and migration.  It’s like having an experienced co-pilot to help you navigate your Splunk journey.

Our Managed Services removes the burden of administering Splunk. We’ll take care of the details and give you a partner in driving Splunk adoption and expansion in your organization.

Want to know more?  Give us a call at (727) 914-5032, fill out this form, or shoot us an email.