Splunk Enterprise Security

incident_review migration to new splunk enterprise security (SH cluster)

almomani
New Member

I have an old stand alone search head with Enterprise security and I'm migrating to a new search head cluster.

Now I have 2 enterprise securities running in parallel and i need to migrate incident_reveiw to the new cluster to see the history of all incidents in one place so i can shut down the stand alone search head.

Labels (2)
0 Karma

meetmshah
Contributor

Hello @almomani, First and foremost, if the new SHC build is not in place - you can build a cluster and include the current SH as a member to replicate the KOs along with KVStore. However, if two clusters are already in place, you will manually need to append values for incident_review_comment_lookup, incident_review_lookup, incident_updates_lookup. You may also want to have events under notable and risk indexes if required. Please let me know if you have any follow-up questions. Also, please test it out on dev/pre-prod before appending values in Production.








0 Karma

meetmshah
Contributor

Hello, Just checking through if the issue was resolved or you have any further questions?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...