Splunk Enterprise Security

COMPLEX migration and architecture. Please help validate.


Current State : We have below Splunk instances running 6.5.2 version

  1. 1 x Splunk ES
  2. 1 x Indexer (Physical SBOX which is managed device)
  3. 2 x Heavy Forwarders

The Indexer also shared role of DMC/LM/DS.

The plan is to

  • Move away asap from the current Indexer and start sending all logs to two new Indexers (Not in a cluster). However, the expectation is to still keep the current Indexer until all the existing data gets aged out eventually.
  • Upgrade Splunk instances to 7.3.X

so expected Future State would be :

  1. 1 x Splunk ES (OLD will be upraded to 7.3.X)
  2. 1 x Splunk Search Head (NEW Regular Non-ES - 7.3.X)
  3. 1 x Indexer (OLD - 6.5.2 This cannot be upgraded due to unknown reasons)
  4. 2 x Indexers (NEW - 7.3.X)
  5. 2 x HFs (OLD will be upraded to 7.3.X)
  6. 1 x DS/LM/DMC (NEW - 7.3.X)

I have two main queries,

  1. This link states to deploy add-ons to indexers, for complex deployment which includes SH with ES and without, one should contact Splunk Prof Services. What are the important considerations other than the storage on new Indexers to be taken if I want to do this myself?
  2. Mainly, even though this link states that 7.x search heads are compatible with 7.x and 6.x search peers. I wonder how the apps and add-ons on OLD Indexer (6.5.2) would be compatible with Splunk ES apps/add-ons when its upgraded to 7.3.x ?
0 Karma

Esteemed Legend

1: The main thing is to have quick access to technical help in case anything goes as planned. There is no "magic playbook" or anything like that. Expect at least 1 big head-scratcher along the way. Be sure that you are in community slack.
2: Upgrade all the apps on the old indexer to match the ones on the new indexers. The only features that will be incompatible are write features but the old indexer will be read-only. The only exception is the SRS features described here (make sure that you use legacy settings):

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...