Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

incident_review migration to new splunk enterprise security (SH cluster)

almomani
New Member
‎09-20-2023 06:29 AM

I have an old stand alone search head with Enterprise security and I'm migrating to a new search head cluster.

Now I have 2 enterprise securities running in parallel and i need to migrate incident_reveiw to the new cluster to see the history of all incidents in one place so i can shut down the stand alone search head.

Labels (2)
0 Karma
Reply

meetmshah
Contributor
‎09-30-2023 05:18 AM

Hello @almomani, First and foremost, if the new SHC build is not in place - you can build a cluster and include the current SH as a member to replicate the KOs along with KVStore. However, if two clusters are already in place, you will manually need to append values for incident_review_comment_lookup, incident_review_lookup, incident_updates_lookup. You may also want to have events under notable and risk indexes if required. Please let me know if you have any follow-up questions. Also, please test it out on dev/pre-prod before appending values in Production.








0 Karma
Reply

meetmshah
Contributor
‎10-03-2023 08:03 PM

Hello, Just checking through if the issue was resolved or you have any further questions?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...