Migrating from Splunk Enterprise to Splunk Cloud

In common with many established software vendors over the last few years, Splunk has invested massively in bringing to market its SaaS offering, Splunk Cloud. This is an adaptation of Splunk’s original product, Splunk Enterprise (which is deployed on-premise and typically maintained by the customer) with an added service wrapper.

Uptake of the cloud service has been strong with new customers, and existing customers are also moving to Splunk Cloud, attracted by the usual benefits of cloud vs on-premise.

Moving an organization from Splunk Enterprise to an equivalent (or improved) Splunk Cloud instance, in a smooth – hiccup free manner – whilst maintaining to provide the same functionality and performance, can be fairly involved. This is especially true where your Splunk environment is well established: local ways of working, custom configurations, and accumulated technical debt all need to be addressed.

There are a variety of ways to tackle a migration, depending on your needs. Here are some topics to consider if you’re thinking about migrating:

Existing Data

Whether your data comes with you as part of the migration is a key consideration. There’s a specific process for migrating your data between environments, to ensure it lands complete, correct and appropriately indexed. There are business and policy considerations around compliance and auditability/provenance, and the business’s need for historic data to be available. Will the data age out, be wholly or partially migrated, will a period of dual running (where data is forwarded to both the existing Enterprise deployment and the Splunk Cloud stack) be required?

Forwarding

Your organization’s data is now going to be routed across the internet. This must happen securely, and any policies and compliance considerations around data egress understood. More practically your firewall configuration and certificates need to be readied. You can’t send data into Splunk Cloud from certain legacy versions of forwarders, amongst other things this may mean putting in place or updating a deployment server.

Custom Configuration

Do you have custom applications – dashboards, alert actions, modular inputs? Is there any code embedded? There are hard-and-fast rules about what custom processing can be deployed into the Splunk Cloud stack, for good reason: Splunk are serious about keeping the platform and your data secure.

In order to prepare for a migration the existing content needs to be thoroughly vetted, and any non-conformances remediated before it can be migrated. Remediation, and the vetting process, need to be well planned, and some custom processing may need to be revised or replaced.

Over time, dashboards and the searches within them tend to become more complex and layered, and may diverge from recommended best practice. On-premise search head capacity grows to fit, but this may cause performance issues within the Cloud and needs evaluating before you move.

Apps

Many of the apps and add-on’s available for Splunk are compatible with Splunk Cloud, but not all. And migrating premium services –Enterprise Security and ITSI – will involve additional complexity.

Overall, moving to cloud will be a change for your organization, whilst the IT team may be closely involved there will be other stakeholders (most often the user community) that need to be understood and communicated with. As with any change it needs a plan to ensure it’s a positive experience, one with continuity of service and which avoids disruptions that might lead to operational and security risks.

Apto’s Cloud Migration e-book provides further information to help de-risk the move from Enterprise to Cloud. Download a copy here …