Migration 2019

Terms

  • Splunk Legacy – The prior (to be retired later 2019) Splunk environment located on physical hardware at the Urbana Campus.
  • Splunk Cloud – Splunk SaaS hybrid solution where Splunk manages the indexing and search head tiers, Urbana will manage the deployment and (majority of) forwarding tier.
  • Split Stream – Sending to both the legacy and the new cloud environment at the same time.
  • Translation/Transformation – Utilizing a specialized Splunk component called a Heavy Forwarder to alter the data on the fly before it arrives in the new Splunk environment.

Things to note

  1. The new Splunk environment is…
    1. A green field deployment. There will be no mass migration of knowledge objects from the legacy environment to the new environment. This will give us a chance to align data to the Common Information Model and Splunk best practices.
    2. Several software revisions newer. Things will look different and will have a suite of new capabilities.
    3. Running a scalable search and indexing tier. These clustered tiers offer higher resiliency than we currently have in our environment, however they also increase the complexity of deploying apps that are located on Splunkbase or community provided.
    4. Mostly located in AWS. Endpoints will need to have access to the internet to use the general infrastructure. We have built in the capability to have campus VPN resources through the use of load balancers if your systems cannot access internet resources.
    5. Designed to scale into a campus or wider service. A great deal of effort has gone into ensuring that we can organize data according to naming conventions. This requires that the index names change.
    6. A cost recovery service with 90 days being the standard retention timeframe. We can and do have systems that will require additional retention durations. Please work with the Splunk service team to make these adjustments.
    7. Secured via Shibboleth to valid NetID’s and has additional security settings to prevent unauthorized systems from consuming our organization’s license. These settings will be provided through the new Splunk Deployment Server located in AWS.

Migration Overview

  1. Conversation
    1. The Splunk service team will discuss with the service owner and admin what needs to happen. Not all systems are the same so the following steps are generally the process that all systems will go through, some more rapidly than others.
    2. The current configuration looks something like this…
  2. Whitelist
    1. On the new Splunk deployment server we will add the new servers to the whitelist. This will allow these machines to communicate with the new infrastructure.
  3. Upgrade
    1. The service admin will upgrade the Splunk agent and configure the endpoint to begin talking to the new Splunk Deployment server.
    2. Instructions can be found here.
  4. Split Stream
    1. Once data begins to flow again to the Legacy environment it will be sent to a special index on the new index called the lastchanceindex.
  5. Translation
    1. The Splunk service team will validate the data arriving at the lastchanceindex and put in the appropriate translations at the Heavy Forwarder for data to be sent to the appropriate new index.
  6. Data Seeding
    1. The data will flow simultaneously to both environments for a period of time. During this time the service owner/admin will validate the data that is arriving and with the assistance of the Splunk service team they will migrate any reports, alerts, or knowledge objects that are needed in the new environment.
    2. This will be the step where apps will be installed, configured, or ported to the new Splunk environment.
  7. Cutover
    1. On a day yet to be determined we will quit sending to the heavy forwarder and the legacy environment. Instead we will begin sending only to the forwarding tier located on campus and offer a higher amount of resiliency to the data stream as the service grows.
Splunk at Illinois
Email: splunk-admin@illinois.edu
Log In