Splunk Enterprise Security

COMPLEX migration and architecture. Please help validate.

damode
Motivator

Current State : We have below Splunk instances running 6.5.2 version

  1. 1 x Splunk ES
  2. 1 x Indexer (Physical SBOX which is managed device)
  3. 2 x Heavy Forwarders

The Indexer also shared role of DMC/LM/DS.

The plan is to

  • Move away asap from the current Indexer and start sending all logs to two new Indexers (Not in a cluster). However, the expectation is to still keep the current Indexer until all the existing data gets aged out eventually.
  • Upgrade Splunk instances to 7.3.X

so expected Future State would be :

  1. 1 x Splunk ES (OLD will be upraded to 7.3.X)
  2. 1 x Splunk Search Head (NEW Regular Non-ES - 7.3.X)
  3. 1 x Indexer (OLD - 6.5.2 This cannot be upgraded due to unknown reasons)
  4. 2 x Indexers (NEW - 7.3.X)
  5. 2 x HFs (OLD will be upraded to 7.3.X)
  6. 1 x DS/LM/DMC (NEW - 7.3.X)

I have two main queries,

  1. This link states to deploy add-ons to indexers, for complex deployment which includes SH with ES and without, one should contact Splunk Prof Services. What are the important considerations other than the storage on new Indexers to be taken if I want to do this myself?
  2. Mainly, even though this link states that 7.x search heads are compatible with 7.x and 6.x search peers. I wonder how the apps and add-ons on OLD Indexer (6.5.2) would be compatible with Splunk ES apps/add-ons when its upgraded to 7.3.x ?
0 Karma

woodcock
Esteemed Legend

1: The main thing is to have quick access to technical help in case anything goes as planned. There is no "magic playbook" or anything like that. Expect at least 1 big head-scratcher along the way. Be sure that you are in community slack.
2: Upgrade all the apps on the old indexer to match the ones on the new indexers. The only features that will be incompatible are write features but the old indexer will be read-only. The only exception is the SRS features described here (make sure that you use legacy settings):
https://www.google.com/url?sa=t&source=web&rct=j&url=https://static.rainfocus.com/splunk/splunkconf1...

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.