Choosing to migrate from an on-prem or self-managed cloud platform to Splunk Cloud is an important decision.
Generally, companies that pursue migration become more competitive. Here are some of the reasons why:
- It eliminates the need to purchase, manage and deploy additional infrastructure.
- It has robust security and compliance certifications.
- Splunk Cloud is FedRAMP Authorized by the General Services Administration at the moderate impact level.
Read the second article in the series
Pitfalls in Migrating to Splunk Cloud
In our experience, the decision to migrate is an easy one. However, it can present certain challenges. That’s one reason members of the SP6 team routinely go above and beyond to make sure our clients’ migrations are successful.
Over the years, our experts have identified three top mistakes our clients make during the planning, migration, and production phases. Keeping them in mind will help you save time and money – and emerge with the system you hoped for.
3. Not Realizing Things Will Change for the Better, and Being Prepared
Sometimes, our clients don’t understand the capabilities – and limitations – of Splunk Cloud. Yes, there are some things it doesn’t allow once you migrate. But with the extraordinary service and savings in overhead that it guarantees, the benefits far outweigh the shortcomings.
The following should be understood from the outset:
Frequently, customers authenticate through their Active Directory (AD) using Lightweight Directory Access Protocol (LDAP) authentication.
When migrating to Splunk Cloud, this probably isn’t going to be an option, as opening up AD to the world probably isn’t high up on your security team’s to-do list, or in line with company policy. In this case, customers will often migrate to Security Assertion Markup Language (SAML) with Two-Factor Authentication (2FA).
During this transition, you’ll need to educate your users. User-created objects post-migration might appear orphaned in Splunk Cloud, until a user logs in. As a result, we’ve seen clients panic. Education and understanding will clarify why these things happen, email logins replacing user ID logins.
Some field aliases will not migrate over. There have been aliases that are no longer supported and have been depreciated. Recognizing what those are and accommodating them in the migration is key.
Custom Knowledge Objects
Here’s something we see far too often: creating knowledge objects in the wrong app context. Users create saved searches, reports, dashboards and other knowledge objects under a variety of apps. This causes management headaches and troubleshooting nightmares that can be extremely time-consuming.
Are you using a custom time zone with your on-prem Splunk? If so, be aware that Splunk Cloud is UTC-based. Every custom environment is based on UTC. With that being said, you can customize the time zone on a user basis, but not globally. Be sure to plan accordingly.
It’s critical to develop a data retention strategy. The base data retention period is 90 days in Splunk Cloud, with some exceptions. This can make compliance painful unless you have a plan in place to accommodate older data, or to thaw out frozen data.
While you will be able to scale back the on-prem or cloud-based Splunk infrastructure, there might be some qualifications to keep a small on-prem instance, to address longer-term data regulations and governance.
Splunk versions DO matter in Splunk Cloud. While you won’t wake up to a new Splunk version one day in most cases, realize that security and availability of support are important for your Splunk Cloud instance.
Updates are inevitable. It’s important to understand what each update brings – and, in a few cases, takes away. Splunk docs are a fabulous way to stay on top of things, as they do a great job of outlining version changes.
You now know the third top mistake organizations can make before, during, and after a Splunk Cloud migration – not realizing things will change for the better, and being prepared.
All three mistakes outlined in this series are avoidable with proper planning and a firm understanding of what Splunk Cloud does and doesn’t do. (Here are links to the first and second articles in case you missed them, or would like to revisit them.)
SP6 has participated in over 500 Splunk engagements. Our team members have an average of 4 ½ years of Splunk experience and 17 years of IT industry experience.
If your organization has decided to migrate from an on-prem or self-managed cloud platform to Splunk Cloud, you’ll want to team up with a reputable Splunk partner. Get in touch with us today to schedule a no-cost consultation.