Splunk Enterprise Security

COMPLEX migration and architecture. Please help validate.


Current State : We have below Splunk instances running 6.5.2 version

  1. 1 x Splunk ES
  2. 1 x Indexer (Physical SBOX which is managed device)
  3. 2 x Heavy Forwarders

The Indexer also shared role of DMC/LM/DS.

The plan is to

  • Move away asap from the current Indexer and start sending all logs to two new Indexers (Not in a cluster). However, the expectation is to still keep the current Indexer until all the existing data gets aged out eventually.
  • Upgrade Splunk instances to 7.3.X

so expected Future State would be :

  1. 1 x Splunk ES (OLD will be upraded to 7.3.X)
  2. 1 x Splunk Search Head (NEW Regular Non-ES - 7.3.X)
  3. 1 x Indexer (OLD - 6.5.2 This cannot be upgraded due to unknown reasons)
  4. 2 x Indexers (NEW - 7.3.X)
  5. 2 x HFs (OLD will be upraded to 7.3.X)
  6. 1 x DS/LM/DMC (NEW - 7.3.X)

I have two main queries,

  1. This link states to deploy add-ons to indexers, for complex deployment which includes SH with ES and without, one should contact Splunk Prof Services. What are the important considerations other than the storage on new Indexers to be taken if I want to do this myself?
  2. Mainly, even though this link states that 7.x search heads are compatible with 7.x and 6.x search peers. I wonder how the apps and add-ons on OLD Indexer (6.5.2) would be compatible with Splunk ES apps/add-ons when its upgraded to 7.3.x ?
0 Karma

Esteemed Legend

1: The main thing is to have quick access to technical help in case anything goes as planned. There is no "magic playbook" or anything like that. Expect at least 1 big head-scratcher along the way. Be sure that you are in community slack.
2: Upgrade all the apps on the old indexer to match the ones on the new indexers. The only features that will be incompatible are write features but the old indexer will be read-only. The only exception is the SRS features described here (make sure that you use legacy settings):

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...