Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Enterprise Upgrade

santosh_hb
Explorer
‎02-19-2019 12:01 AM

Hi All,
With regards to Splunk Enterprise I have the below query:

  • I have a existing Splunk infra that has Splunk Enterprise 6.5.3 running on all the servers. It has got all the apps TA-'s configured and they are running properly in PROD. environment
  • Now, I have built a new infra (with new servers) and has got Splunk Enterprise 7.2.1 installed and configured on all the servers.

Our plan is to implement any new on-boarding of log feeds into new infra and going forward merge all the apps and TA-s that are currently running on the existing infra to the new Infra.

We have 2 approaches to take it forward:

  • Migrate all the existing configurations related to app's and TA-s from the existing infra to new infra (Splunk 7.2.1)
  • Else, upgrade the existing PROD. infra to Splunk 7.2.1 and then merge all the app's and TA-'s related to existing infra to the new infra that has already Splunk 7.2.1

So, kindly suggest which method I have to follow. If yes, then can you provide the reason for choosing the method (Justification)

regards,
Santosh

Tags (1)
0 Karma
Reply

vinod94
Contributor
‎02-22-2019 09:39 AM

Hi @santosh_hb ,

You can refer this link .

https://docs.splunk.com/Documentation/Splunk/7.2.4/Installation/HowtoupgradeSplunk#Back_up_your_exis...

hope this helps you!

0 Karma
Reply

lakshman239
Influencer
‎02-22-2019 08:58 AM

In my view, you can use either of the two approaches. Both will be fine. However, you would need to have a few considerations to decide.

  • How many servers do you have in old and new infra? is there any clustering involved?
  • what's your retention period for indexes? If its less than 6months, its better to use new infra as you can decommission the old infra [ adds costs till you decom them]. If you have a longer retention, upgrade will be better, as migrating buckets needs careful analysis and time consuming, should you run into bucket fixes/issues.
  • As you have already built the new infra and have a plans to onboard new data and have a plan to migrate them to new infra, option 2(new infra) is better.
  • what was the driving factor for building a new infra as opposed to upgrade? is that due to ageing hardware, timescales or need to on-board new data?
  • Can your new infra provide a seamless interface or better one compared to old interface to users?
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...