Contact Us
Blue computing cloud

Top 3 Mistakes Migrating to Splunk Cloud and How to Avoid Them: Article 3 of 3

Choosing to migrate from an on-prem or self-managed cloud platform to Splunk Cloud is an important decision.  

Generally, companies that pursue migration become more competitive. Here are some of the reasons why: 

  • It eliminates the need to purchase, manage and deploy additional infrastructure.  
  • It has robust security and compliance certifications.  
  • Splunk Cloud is FedRAMP Authorized by the General Services Administration at the moderate impact level.  

Read the second article in the series 

Pitfalls in Migrating to Splunk Cloud  

In our experience, the decision to migrate is an easy one. However, it can present certain challenges. That’s one reason members of the SP6 team routinely go above and beyond to make sure our clients’ migrations are successful. 

Over the years, our experts have identified three top mistakes our clients make during the planning, migration, and production phases. Keeping them in mind will help you save time and money – and emerge with the system you hoped for. 

3. Not Realizing Things Will Change for the Better, and Being Prepared 

Sometimes, our clients don’t understand the capabilities – and limitations – of Splunk Cloud. Yes, there are some things it doesn’t allow once you migrate. But with the extraordinary service and savings in overhead that it guarantees, the benefits far outweigh the shortcomings.  

The following should be understood from the outset: 

User Authentication 

Frequently, customers authenticate through their Active Directory (AD) using Lightweight Directory Access Protocol (LDAP) authentication.  

When migrating to Splunk Cloud, this probably isn’t going to be an option, as opening up AD to the world probably isn’t high up on your security team’s to-do list, or in line with company policy. In this case, customers will often migrate to Security Assertion Markup Language (SAML) with Two-Factor Authentication (2FA).  

During this transition, you’ll need to educate your users. User-created objects post-migration might appear orphaned in Splunk Cloud, until a user logs in. As a result, we’ve seen clients panic. Education and understanding will clarify why these things happen, email logins replacing user ID logins.  

Field Aliases 

Some field aliases will not migrate over. There have been aliases that are no longer supported and have been depreciated. Recognizing what those are and accommodating them in the migration is key. 

Custom Knowledge Objects 

Here’s something we see far too often: creating knowledge objects in the wrong app context. Users create saved searches, reports, dashboards and other knowledge objects under a variety of apps. This causes management headaches and troubleshooting nightmares that can be extremely time-consuming. 

Time Zones 

Are you using a custom time zone with your on-prem Splunk? If so, be aware that Splunk Cloud is UTC-based. Every custom environment is based on UTC. With that being said, you can customize the time zone on a user basis, but not globally. Be sure to plan accordingly. 

Data Retention 

It’s critical to develop a data retention strategy. The base data retention period is 90 days in Splunk Cloud, with some exceptions. This can make compliance painful unless you have a plan in place to accommodate older data, or to thaw out frozen data.  

While you will be able to scale back the on-prem or cloud-based Splunk infrastructure, there might be some qualifications to keep a small on-prem instance, to address longer-term data regulations and governance.  

Splunk Versions 

Splunk versions DO matter in Splunk Cloud. While you won’t wake up to a new Splunk version one day in most cases, realize that security and availability of support are important for your Splunk Cloud instance.   

Updates are inevitable. It’s important to understand what each update brings – and, in a few cases, takes away. Splunk docs are a fabulous way to stay on top of things, as they do a great job of outlining version changes. 

In Conclusion 

You now know the third top mistake organizations can make before, during, and after a Splunk Cloud migration – not realizing things will change for the better, and being prepared. 

All three mistakes outlined in this series are avoidable with proper planning and a firm understanding of what Splunk Cloud does and doesn’t do. (Here are links to the first and second articles in case you missed them, or would like to revisit them.)  

SP6 has participated in over 500 Splunk engagements. Our team members have an average of 4 ½ years of Splunk experience and 17 years of IT industry experience.  

If your organization has decided to migrate from an on-prem or self-managed cloud platform to Splunk Cloud, you’ll want to team up with a reputable Splunk partner. Get in touch with us today to schedule a no-cost consultation.

Chris Greenwood

Chris is a Senior Professional Services Consultant and Solutions Architect for SP6, specializing in various aspects of Splunk Architecture, Administration, and data onboarding for IT Operations and Security Use Cases. Chris has extensive experience in both the pre-sales and post-sales roles and has consulted with clients in a wide array of industries including aerospace and defense, state and local government, education, healthcare, and municipal utility companies. Chris’ certifications include Splunk Certified Consultant, Splunk Certified ITSI Analyst, Splunk Certified Architect, and Splunk Certified Administrator. Prior to joining SP6, Chris was a Consultant and Sales Engineer for a Splunk partner working closely with System Integrators, Aerospace, and other public sector entities throughout the U.S.
SP6 Logo White
TBBJ award

Splunk Partnerverse

Cyber Compliance

Company

Linkedin Twitter Facebook

©2023 SP6 Consulting, LLC,. All rights reserved