Archive
Highlighted

Splunk Enterprise Upgrade

Explorer

Hi All,
With regards to Splunk Enterprise I have the below query:

  • I have a existing Splunk infra that has Splunk Enterprise 6.5.3 running on all the servers. It has got all the apps TA-'s configured and they are running properly in PROD. environment
  • Now, I have built a new infra (with new servers) and has got Splunk Enterprise 7.2.1 installed and configured on all the servers.

Our plan is to implement any new on-boarding of log feeds into new infra and going forward merge all the apps and TA-s that are currently running on the existing infra to the new Infra.

We have 2 approaches to take it forward:

  • Migrate all the existing configurations related to app's and TA-s from the existing infra to new infra (Splunk 7.2.1)
  • Else, upgrade the existing PROD. infra to Splunk 7.2.1 and then merge all the app's and TA-'s related to existing infra to the new infra that has already Splunk 7.2.1

So, kindly suggest which method I have to follow. If yes, then can you provide the reason for choosing the method (Justification)

regards,
Santosh

Tags (1)
0 Karma
Highlighted

Re: Splunk Enterprise Upgrade

SplunkTrust
SplunkTrust

In my view, you can use either of the two approaches. Both will be fine. However, you would need to have a few considerations to decide.

  • How many servers do you have in old and new infra? is there any clustering involved?
  • what's your retention period for indexes? If its less than 6months, its better to use new infra as you can decommission the old infra [ adds costs till you decom them]. If you have a longer retention, upgrade will be better, as migrating buckets needs careful analysis and time consuming, should you run into bucket fixes/issues.
  • As you have already built the new infra and have a plans to onboard new data and have a plan to migrate them to new infra, option 2(new infra) is better.
  • what was the driving factor for building a new infra as opposed to upgrade? is that due to ageing hardware, timescales or need to on-board new data?
  • Can your new infra provide a seamless interface or better one compared to old interface to users?
0 Karma
Highlighted

Re: Splunk Enterprise Upgrade

Contributor
0 Karma