- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- How to migrate Splunk Cloud to On-Premises?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I am planning to migrate Splunk Cloud to On-Premises Platform.
Looking for road map and potential challenges . Any one?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As @isoutamo said - there is no official way to do that. The typical way is the "other way" migration - from on-prem to Cloud.
There is no way to do the thing you'd want to do if you wanted to migrate your on-prem environment between different locations (add new peers, let them replicate data, remove old peers) if one of those locations is the Splunk Cloud. Customers simply don't have access to all the underlying infrastructure.
So there are three things you'd need to take into account when trying to migrate "back" from Cloud to on-prem
1. The "infrastructure configuration" - this is the part you have to create from scratch. You need to spin up your own machines, create all the "technical" configs for indexers, search heads and so on right for your deployment. And here it doesn't differ from setting up a completely new environment
2. The knowledge migration - you have to deploy the same apps (which might be relatively easy) and migrate user configs (I'm not sure how hard it is to export it from the Cloud - if it's not possible using native Cloud mechanisms, you can always ask support for help here)
3. Data migration. Here's where the "fun" part begins. As I said before, you don't have access to the indexers and I seriously doubt you can get your buckets right from the indexers. I see two options:
- export your data using searches and reingest them to your new environment (this can raise some issues with timestamps, parsing and so on and of course will reflect on your license usage)
- configure DDSS and set very short retention period so that all your data moves to frozen buckets in yout DDSS. Then you can pull those buckets from there to your on-prem installation and thaw them.
This is not something nice and easy so I'd suggest you engage your local friendly Splukn Partner in this process.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As @isoutamo said - there is no official way to do that. The typical way is the "other way" migration - from on-prem to Cloud.
There is no way to do the thing you'd want to do if you wanted to migrate your on-prem environment between different locations (add new peers, let them replicate data, remove old peers) if one of those locations is the Splunk Cloud. Customers simply don't have access to all the underlying infrastructure.
So there are three things you'd need to take into account when trying to migrate "back" from Cloud to on-prem
1. The "infrastructure configuration" - this is the part you have to create from scratch. You need to spin up your own machines, create all the "technical" configs for indexers, search heads and so on right for your deployment. And here it doesn't differ from setting up a completely new environment
2. The knowledge migration - you have to deploy the same apps (which might be relatively easy) and migrate user configs (I'm not sure how hard it is to export it from the Cloud - if it's not possible using native Cloud mechanisms, you can always ask support for help here)
3. Data migration. Here's where the "fun" part begins. As I said before, you don't have access to the indexers and I seriously doubt you can get your buckets right from the indexers. I see two options:
- export your data using searches and reingest them to your new environment (this can raise some issues with timestamps, parsing and so on and of course will reflect on your license usage)
- configure DDSS and set very short retention period so that all your data moves to frozen buckets in yout DDSS. Then you can pull those buckets from there to your on-prem installation and thaw them.
This is not something nice and easy so I'd suggest you engage your local friendly Splukn Partner in this process.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Isoutamo for your feedback
can you please expand on your answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don’t think that there are any official instructions for this.
I believe that you could easily setup a distributed splunk environment in on prem and switch your log collections towards it. Also if you have created your KOs into git or other version control system then just install those into new environment. To getting old data from SC will be tricky. Probably it’s best situation if you could leave it there and set e.g. federated search to use it? If not then there is no official way to get those buckets/data back into on prem.
r. Ismo
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
