Author: Aisha Moore, Splunk Architect
If you’re considering moving from Splunk On Prem to Splunk Cloud, here are some nuances you should consider.
Low Limit of DDAS (Searchable Storage) compared to DDAA (Archive Storage) in Splunk Cloud
It is important that your Splunk users, especially your Security Operations Center (SOC) users understand that DDAA is NOT searchable. The SOC team may have certain indexes where they need 1 year of searchable data available in Splunk Cloud (example palo alto logs, firewall logs, access and authentication logs).
Be sure to clearly explain to data owners and SOC and NOC users how their allocation of storage will be split between DDAS (searchable storage) and DDAA (non-searchable archive storage).
Be prepared to increase your estimated DDAS needed to accommodate searchable data needed for SOC team and other security/audit/compliance data users.
Splunk Cloud breaks your storage allocation into three buckets
- DDAS (Dynamic Data Active Searchable ) – This is the data you can search through in Splunk Cloud, and the default allocation of DDAS is considerably less than DDAA
- DDAA (Dynamic Data Active Archive) – This data is NOT searchable. It must be “restored from archive” in order to be searchable in Splunk Cloud
- Restore Capacity – This is the maximum amount of data (ex 10,000 GB) that can be restored from archive to searchable at any given time.
DNS Lookup Against Your Internal IP Addresses Will Not Work by Default in Splunk Cloud
You may have many teams that use Splunk’s built in dnslookup to resolve clientip or clienthost. Unfortunately, since Splunk Cloud is not on your company’s domain (ex mycompany.com), it cannot resolve your internal IP address by default.
There are some workarounds. One solution is to auto generate a <company>_assets_lookup.csv every few hours and send this data to Splunk Cloud. Then users can use both the dnslookup and <company>_assets_lookup.csv to resolve clientip and cienthost for both external and internal IPs/hostnames.
Be sure to implement a solution as part of your Splunk On Prem to Cloud Migration.
Also be sure to lock the <company>_assets_lookup.csv to just the roles that should have read access. This is important otherwise anyone splunk user will be able to run | inputlookup <company_assets_lookup.csv and view ALL the data in the file.
Emails Sent from Splunk Cloud Alerts to Your Internal Email Distribution List Might Be Blocked
Talk with your Messaging team early to see if they can globally whitelist [email protected] to allow your internal email DLs (ex [email protected]) to receive emails from Splunk Cloud.
This can be a HUGE amount of work if you cannot get the global whitelist. It might require you to work with each email DL owner and the messaging team to individually whitelist [email protected] for each email DL.
Large Number of Company Controlled Linux Servers Still Needed for Data Collection.
Companies are often shocked to learn that they will still need to keep a bunch of linux servers on prem in order to collect data before sending it to Splunk Cloud. This is true for Splunk Heavy Forwarders collecting syslog and non-cloud based inputs.
You might also need to stand up a group of intermediate forwarders to collect data from your Splunk Universal Forwarders deployed on thousands of laptops, desktops, and linux servers.
You will also need to retain at least one deployment server on-prem, plus a server to use to push apps to and from Splunk Cloud using their ACS CLI process.
The cost of continuing to maintain these on-prem servers should be factored in your overall Splunk On Prem to Cloud Migration Cost and Benefits Analysis.
Splunk Cloud Hard and Soft Limits and Constraints
Thoroughly review the service limits and constraints in the link below. Ensure you can adhere to the limits listed
No CLI Access to Splunk Cloud Servers
You probably already know. You can perform some actions with Splunk Clouds ACS CLI
https://docs.splunk.com/Documentation/SplunkCloud/9.3.2411/Config/ACSREF
For other CLI related operations you’ll need to open a Splunk Support Request
You Might Also Like The Following Articles
- Productivity Tips for Splunk Searches, Reports, Dashboards
- Great Linux Commands for Splunk Administrators
- Determining Which Method to Use to Send Data To Splunk (Splunk Data Onboarding)