Need a Splunk transition plan from one team to another.

Rocky Cortez
Rocky Cortez used Ask the Experts™
I am looking for assistance on developing a Splunk transition plan from one team to another. Timeframe should be within one month.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2015

Just pass admin password from one team to another? Should not take less than a minute if they know eachothers email
Top Expert 2014

To add just a bit to gheist's comment documentation on the current environment.  Things like:

What type of and how many Splunk servers you have (search head, indexers, syslog forwarders).
Do you have more than one Splunk environment.
What type of daily/weekly/monthly/yearly maintenance functions
What automated reports do you have.
Do you have Splunk doing alerting and if so on what.
How security is setup
Current license limit

You may want to have one of the new team members shadow one of the current members for a couple hours a day for a couple days a week.

I am assuming that there is some arrangement where the new team will be able to contact the old team if needed.
Exec Consultant
Distinguished Expert 2018
Need to minimally covers
- Splunk FAQ contains  organisation specific information for configuring and troubleshooting Splunk related.
- Splunk Architecture and Setup documentation. Provide helpful guidance for first time or existing users for quickly setting up their Splunk license based on the recommended/tested design approved.
- Splunk License Usage Report View documentation. Adopt the approach to manage consumption of your Splunk license.
- Splunk Changement management. Provides the baseline security check regime, account based on roles, access right matrix, application installed and update regime and System health checks (SNMP traps etc). Include any form of audit report conducted
- Splunk Backup management. provides the long term backup period for RPO, and also interim archive period to sustain performance. Include recovery procedures
- Splunk external interface to other systems (include SIEMS). Provides all party agreement, scope of work, purpose and API support. Included any legal documentation as well
- Splunk training and support SLA engagement. Provides the expectation of onsite and online support as well as enhancement request fulfillment
- Contact of Splunk Helpdesk and Account manager / Backup. Provides the second tier to assist and advice in time of trouble and doubt. You need to standby as well in case too. Include Incident response SOP.

Good to space out the knowledge transfer into "runs" with key lead SME covering each items to the right delegates - fit for training. Demo will be good but minimally the basic handover of the run through must be conducted as priority first.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial