I was told this week by management that we will not migrate any of the indexed data. We are only going to migrate the AD Groups, Roles, users, capabilities, and user's data. We will also move the associated indexes, if they do not exist in the new system. So for now, I just need to match up the AD Group with the role and capabilities for the users, and the indexes associated with them. Also need information on how to migrate the data to the new system.
Apparently we only keep a few weeks of indexed data. So we are working on moving the users with the index and servers and logs at the same time, and then point the users to the new environment. No need for bucket moves.
... View more
Thanks for the response. This really helps, and gets me pointed in the right direction. I figured I would have to write some rest searches for most of it. This is going to be a complex task for sure. Lots of data to pull together. I did find information on the "Data Governance" app.
I'm not sure if that will help, but I'll get it installed, and give it a try.
... View more
The new Splunk 7.2.1 is installed and up and running. It is an all Linux environment. Think of it as a completely separate environment. It is processing other forwarders now. We want to completely decommission the 6.0 environment all together.
Current New Environment:(Not really new, just a new enterprise environment and all Redhat Linux)
2-lightweight forwarders (For syslogs only)
1-Dev box for testing heavy forwarders
1-Splunk ES server
2-Deployment servers: One used to push updates to the non ES search heads. The other one is where all the apps live. The second one pushes updates to the cluster master, deployer, light forwarders, heavy forwarders, and universal forwarders. It is also has the common applications directory.
3-Search head servers as a cluster
1-Cluster master that manages the index servers
15-index servers as a cluster
... View more
I am a new Splunk user. I have finished all the Splunk Admin training. (Splunk Fundamentals 1 & 2, Splunk Administration, and Splunk Data Administration) I am still processing all the information.
However, I've been tasked with developing a migration plan to move our current environment from Splunk 6.6.0 to Splunk 7.2.1. A fairly large task for a new Splunk user. I'm excited about it, and not afraid to take on the task. So just need some help in getting pointed in the right direction. For security reasons, I can't give out to any details, but I'll include what I can.
Splunk 6.6.0 environment:
1-Windows 2008 Deployment Server: --serverclass.conf file location and deployment clients
1-Windows 2008 Index Controller Server: --Serves as the main index controller and license manager, where all non neteng users log in to search ingested data.
1-Linux OS Traffic Indexer --Neteng syslog traffic indexer
2 Linux OS Lightweight Forwarders --Running syslog-ng, the original syslogs from network devices get pushed to the indexers from here I think.
1-Windows Server 2008 Search Head --Searches the neteng data --All neteng users login here to search neteng data
What I need to gather from what I know:
A complete list of the servers from the "white-list" and "blacklist" (I think I can get this from the\Program Files\Splunk\etc\system\local\serverclass.conf file. Just not sure if it is the complete list.)
File types and their paths that are being monitored on these servers (From the deployment server "Settings" > "Data Inputs" > "Forwarded Inputs"??? Is there an export function for this?)
User data including alerts, reports, and dashboards. Need to know the owners of each.(Need to know how to export this, and then import to the new environment)
Is the user data private or global? (Not sure where to get this from)
Improve the efficiency of the saved searches and reports (This is something we can work on here. Is there a search analyzer in Splunk?)
Who has access to the apps? (Group description + matching AD group) (Is there a way to compare the AD list against the Splunk users? I need to create a spreadsheet of the users, their Splunk roles, and the AD group they belong to. Is there an export function of user roles?)
Index data migration (Index information - "Settings" > "Indexes". Is there a migration plan for moving indexes from one environment to the other?)
Once all data is gathered, our goal is to ensure that users aren't having to straddle both environments to access their content. So, this means migrating a group with their index, and migrating the searches, reports, and alerts for that index.
If anyone has a basic migration project plan, it would be helpful for the newbie.
Thanks for your help.
... View more