Splunk ITSI

Migrating Splunk ITSI Content packs to Splunk Cloud

AMAN0113
Explorer

Hi, 
We have a requirement to migrate ITSI Content packs to Splunk Cloud. Is it possible to achieve this?
If yes, Could you please help with the list of steps to perform for this?
I would also want to know what are the risks involved.

Labels (1)
0 Karma

lperini_splunk
Splunk Employee
Splunk Employee

If you have already deployed the CP into services/kpis/correlation searches, neaps, etc, it means they would be existing objects into your ITSI. You can take a ITSI Backup from this environment and restore into another deployment (like cloud for example) and check the objects there. Just make sure to adjust the inputs and make sure the lookups and indexes would be there too

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi @AMAN0113 

I would consider not migration the content pack but rater do a fresh install in Splunk Cloud.

Is the reason that you want to migrate that you have made changes to the content pack? If so try to identify the components needed for your solution to work, and consider migration them with a ITSI backup in combination with a private app holding all your custom *.conf configurations. Note! This can be a bit picky and you will need to identify all lookup / kv-stores / macros etc that will need to be migrated and have them available before restoring the backup. And of course Cloud and on prem-need to be on the same version. 

Do not restore a full backup to Splunk cloud or any other environment. Full backups contains entities, services, episodes and stuff that should be generated by source data.  

/Seb

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...