Re: Migrating Splunk ITSI Content packs to Splunk ...

AMAN0113 · ‎09-21-2023

Hi,
We have a requirement to migrate ITSI Content packs to Splunk Cloud. Is it possible to achieve this?
If yes, Could you please help with the list of steps to perform for this?
I would also want to know what are the risks involved.

lperini_splunk · ‎12-20-2023

If you have already deployed the CP into services/kpis/correlation searches, neaps, etc, it means they would be existing objects into your ITSI. You can take a ITSI Backup from this environment and restore into another deployment (like cloud for example) and check the objects there. Just make sure to adjust the inputs and make sure the lookups and indexes would be there too

srauhala_splunk · ‎11-10-2023

Hi @AMAN0113

I would consider not migration the content pack but rater do a fresh install in Splunk Cloud.

Is the reason that you want to migrate that you have made changes to the content pack? If so try to identify the components needed for your solution to work, and consider migration them with a ITSI backup in combination with a private app holding all your custom *.conf configurations. Note! This can be a bit picky and you will need to identify all lookup / kv-stores / macros etc that will need to be migrated and have them available before restoring the backup. And of course Cloud and on prem-need to be on the same version.

Do not restore a full backup to Splunk cloud or any other environment. Full backups contains entities, services, episodes and stuff that should be generated by source data.

/Seb

Migrating Splunk ITSI Content packs to Splunk Cloud

using ITSI

Introducing Splunk Enterprise Security 8.0!

Mastering Threat Hunting

Upcoming Community Maintenance: 10/28