Getting Data In

On-premise Splunk to AWS cloud and Hybrid Search with ES Search Head

oolatunji
Explorer

I need some help in migrating my on-premise Splunk instance (cluster Search heads, Indexers, and Enterprise Security) to AWS cloud and run Hybrid Search with ES Search Head.

My concern is how I can run an hybrid. I want my search head (one search head for enterprise security and one for core Splunk) to search data from the cluster indexers that I will install in the AWS cloud.

I also want to the search heads to still connect to the on-premise cluster indexers. Please help. Thank you!

0 Karma

amiracle
Splunk Employee
Splunk Employee

You might want to take a look at Mothership and ES Mothership to help with your request : https://splunkbase.splunk.com/app/4746/ . This app can help with your hybrid search model and simplify your Splunk deployment between on-prem and AWS.

0 Karma

oolatunji
Explorer

Thank you amiracle. Is there a way you can explain to me how this works, I am not that Splunk savvy...A detail explanation on how this works in the light of what we want to do will be great. We are torn between how to either move the entire on-prem instances to AWS at once, or do an hybrid move.

Do you also have any insight as to how we can move all the data in the on-prem indexers to AWS (either to the S3 buckets - like having S3 buckets for each indexer and move corresponding data into each). Do we need 2 licenses to make this happen, or same license can be utilized for both Hybrid and on-prem instances. My thought is that the data comes through same pipeline and then get sent to the on-prem and AWS instance through a LB, this way same license can be used, is this correct?

Thank you for your great help!

0 Karma

amiracle
Splunk Employee
Splunk Employee

TL;DR : Reach out to your account team and they can help you with your request. You might be better off going to Splunk Cloud and having PS move your on-prem data to the Cloud.

This depends on what you are trying to accomplish. If you want to have a single pane of glass for your ES deployment, then Mothership will aggregate your notable events from all of your ES deployments and have them available in your main Splunk deployment. You can then navigate to the notable event in the proper ES deployment and look at it in context.

If you want to move your data from on-prem to AWS, I would encourage you to use professional services especially if you are not accustom to Splunk. They can move your data and get it into your AWS or Splunk Cloud instance. You only need one license since you can point multiple indexers to a single license server. DO NOT USE A LOAD BALANCER (LB) for data being forwarded into Splunk, that will cause issues. Just use Splunk's native load balancing to spread the data between your forwarders and indexers.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...