Installation

Splunk Enterprise Upgrade

santosh_hb
Explorer

Hi All,
With regards to Splunk Enterprise I have the below query:

  • I have a existing Splunk infra that has Splunk Enterprise 6.5.3 running on all the servers. It has got all the apps TA-'s configured and they are running properly in PROD. environment
  • Now, I have built a new infra (with new servers) and has got Splunk Enterprise 7.2.1 installed and configured on all the servers.

Our plan is to implement any new on-boarding of log feeds into new infra and going forward merge all the apps and TA-s that are currently running on the existing infra to the new Infra.

We have 2 approaches to take it forward:

  • Migrate all the existing configurations related to app's and TA-s from the existing infra to new infra (Splunk 7.2.1)
  • Else, upgrade the existing PROD. infra to Splunk 7.2.1 and then merge all the app's and TA-'s related to existing infra to the new infra that has already Splunk 7.2.1

So, kindly suggest which method I have to follow. If yes, then can you provide the reason for choosing the method (Justification)

regards,
Santosh

Tags (1)
0 Karma

vinod94
Contributor
0 Karma

lakshman239
SplunkTrust
SplunkTrust

In my view, you can use either of the two approaches. Both will be fine. However, you would need to have a few considerations to decide.

  • How many servers do you have in old and new infra? is there any clustering involved?
  • what's your retention period for indexes? If its less than 6months, its better to use new infra as you can decommission the old infra [ adds costs till you decom them]. If you have a longer retention, upgrade will be better, as migrating buckets needs careful analysis and time consuming, should you run into bucket fixes/issues.
  • As you have already built the new infra and have a plans to onboard new data and have a plan to migrate them to new infra, option 2(new infra) is better.
  • what was the driving factor for building a new infra as opposed to upgrade? is that due to ageing hardware, timescales or need to on-board new data?
  • Can your new infra provide a seamless interface or better one compared to old interface to users?
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...