Installation

How to migrate Splunk Cloud to On-Premises?

Tahar
Engager

Hi

I am planning to migrate Splunk Cloud to On-Premises Platform.

Looking for road map and potential challenges . Any one?

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

As @isoutamo said - there is no official way to do that. The typical way is the "other way" migration - from on-prem to Cloud.

There is no way to do the thing you'd want to do if you wanted to migrate your on-prem environment between different locations (add new peers, let them replicate data, remove old peers) if one of those locations is the Splunk Cloud. Customers simply don't have access to all the underlying infrastructure.

So there are three things you'd need to take into account when trying to migrate "back" from Cloud to on-prem

1. The "infrastructure configuration" - this is the part you have to create from scratch. You need to spin up your own machines, create all the "technical" configs for indexers, search heads and so on right for your deployment. And here it doesn't differ from setting up a completely new environment

2. The knowledge migration - you have to deploy the same apps (which might be relatively easy) and migrate user configs (I'm not sure how hard it is to export it from the Cloud - if it's not possible using native Cloud mechanisms, you can always ask support for help here)

3. Data migration. Here's where the "fun" part begins. As I said before, you don't have access to the indexers and I seriously doubt you can get your buckets right from the indexers. I see two options:

- export your data using searches and reingest them to your new environment (this can raise some issues with timestamps, parsing and so on and of course will reflect on your license usage)

- configure DDSS and set very short retention period so that all your data moves to frozen buckets in yout DDSS. Then you can pull those buckets from there to your on-prem installation and thaw them.

This is not something nice and easy so I'd suggest you engage your local friendly Splukn Partner in this process.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

As @isoutamo said - there is no official way to do that. The typical way is the "other way" migration - from on-prem to Cloud.

There is no way to do the thing you'd want to do if you wanted to migrate your on-prem environment between different locations (add new peers, let them replicate data, remove old peers) if one of those locations is the Splunk Cloud. Customers simply don't have access to all the underlying infrastructure.

So there are three things you'd need to take into account when trying to migrate "back" from Cloud to on-prem

1. The "infrastructure configuration" - this is the part you have to create from scratch. You need to spin up your own machines, create all the "technical" configs for indexers, search heads and so on right for your deployment. And here it doesn't differ from setting up a completely new environment

2. The knowledge migration - you have to deploy the same apps (which might be relatively easy) and migrate user configs (I'm not sure how hard it is to export it from the Cloud - if it's not possible using native Cloud mechanisms, you can always ask support for help here)

3. Data migration. Here's where the "fun" part begins. As I said before, you don't have access to the indexers and I seriously doubt you can get your buckets right from the indexers. I see two options:

- export your data using searches and reingest them to your new environment (this can raise some issues with timestamps, parsing and so on and of course will reflect on your license usage)

- configure DDSS and set very short retention period so that all your data moves to frozen buckets in yout DDSS. Then you can pull those buckets from there to your on-prem installation and thaw them.

This is not something nice and easy so I'd suggest you engage your local friendly Splukn Partner in this process.

Tahar
Engager

Thank you Isoutamo for your feedback
can you please expand on your answer

0 Karma

isoutamo
SplunkTrust
SplunkTrust
The answer is depending on your SC environment, how much data, which kind of it is etc. I think that you should found some local company / person which can help you.

isoutamo
SplunkTrust
SplunkTrust
Hi
I don’t think that there are any official instructions for this.

I believe that you could easily setup a distributed splunk environment in on prem and switch your log collections towards it. Also if you have created your KOs into git or other version control system then just install those into new environment. To getting old data from SC will be tricky. Probably it’s best situation if you could leave it there and set e.g. federated search to use it? If not then there is no official way to get those buckets/data back into on prem.
r. Ismo
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...