Splunk Cloud Platform

Splunk Cloud Platform Service Description

This documentation does not apply to the most recent version of Splunk Cloud Platform. For documentation on the most recent version, go to the latest release.

Splunk Cloud Platform Service Details

Splunk Cloud Platform introduction

Welcome to the Splunk Cloud Platform service description.

Splunk Cloud Platform delivers the benefits of award-winning Splunk® Enterprise as a cloud-based service. Using Splunk Cloud Platform, you gain the functionality of Splunk Enterprise for collecting, searching, monitoring, reporting, and analyzing all of your real-time and historical machine data using a cloud service that is centrally and uniformly delivered by Splunk to its large number of cloud customers, from Fortune 100 companies to small and medium-size businesses. Splunk manages and updates the Splunk Cloud Platform service uniformly, so all customers of Splunk Cloud Platform receive the most current features and functionality.

Splunk Cloud Platform provides a complete suite of self-service service capabilities for you to ingest data, customize data retention settings, customize user roles and centralized authentication, configure searches and dashboards, update your IP Allow List and perform app management. In addition, you can use the Cloud Monitoring Console (CMC) to holistically monitor the data consumption and health of your Splunk Cloud Platform environment. Finally, ensure your Operational Contacts are kept up-to-date; see Your maintenance responsibilities for more details.

Your subscription to the Splunk Cloud Platform service is workload-based and is sized for resource capacity. By exception, you may be on an ingest-based subscription that is sized for data volume ingested. For more information, see Subscription types.

This document describes the features, capabilities, limitations, and constraints of the Splunk Cloud Platform service and our responsibilities to you as a Software as a Service provider. This document also notes your responsibilities as a subscriber to the service. Be sure to read the complete service description and the service terms and policies documents listed in the following section. If you have questions after reading any of this material, contact your Splunk sales representative.

Service terms and policies

The following links access important terms and policies documents that pertain to the Splunk Cloud Platform service. Be sure to read these documents to have a clear understanding of the service. If you have any questions, contact your Splunk sales representative.

Available regions and region differences

Splunk Cloud Platform is available in the following global regions.

Service Component AWS regions Google Cloud regions
Victoria Experience US (Oregon, Virginia)

UK (London)
Europe (Dublin, Frankfurt, Paris)
Asia Pacific (Singapore, Sydney, Tokyo)
Canada (Central)

Not currently available
Classic Experience US (GovCloud US-West, GovCloud US-East)

Europe (Stockholm)
Asia Pacific (Mumbai, Seoul)

US (Iowa)

UK (London)
Europe (Belgium, Frankfurt)
Asia Pacific (Singapore, Sydney)
Canada (Montreal)

Admin Config Service (ACS) Available, except GovCloud US-West and GovCloud US-East regions Available
Compliance: IRAP Available, Sydney only Not currently available
Federated search Available, except GovCloud US-West and GovCloud US-East regions Available
Ingest actions Available, except GovCloud US-West and GovCloud US-East regions Not currently available
Splunk Secure Gateway Available, except GovCloud US-West and GovCloud US-East regions Available
Storage: Customer-managed encryption keys Currently available for Classic Experience regions Not currently available

Compliance and certifications

Splunk has attained a number of compliance attestations and certifications from industry-leading auditors as part of our commitment to adhere to industry standards worldwide and part of our efforts to safeguard customer data. The following compliance attestations/certifications are available:

  • SOC 2 Type II: Splunk Cloud Platform has an annual SOC 2 Type 2 audit report issued. The SOC 2 audit assesses an organization's security, availability, and confidentiality processes to provide assurance about the systems that a company uses to protect customers' data. If you require the SOC 2 Type 2 attestation to review, contact your Splunk sales representative to request it.
  • ISO 27001: Splunk Cloud Platform is ISO/IEC 27001:2013-certified. ISO/IEC 27001:2013 is a standard for an information security management system, specifying the policies and procedures for all legal, physical, and technical controls used by an organization to minimize risk to information. See https://www.splunk.com/pdfs/legal/splunk-ISO-27001-certificate.pdf to access a PDF version of the Splunk ISO 27001 certificate.

For information regarding the availability of service components between the AWS and Google Cloud regions, see Region differences.

If your data must be maintained in a regulated cloud environment to assist you with meeting your compliance needs, Splunk Cloud Platform provides these optional subscriptions.

  • U.S. Department of Defense (DoD) Impact Level 5 (IL5): U.S. Defense Information Systems Agency (DISA) has granted the Splunk Cloud Platform U.S. Department of Defense (DoD) Impact Level 5 (IL5) Provisional Authorization (PA). U.S. Government agencies are now able to leverage the power of Splunk Cloud Platform to solve their challenging mission-critical problems, even when working with high sensitivity Controlled Unclassified Information (CUI).This subscription is available in the AWS GovCloud (US) regions, which are isolated regions designed to address specific regulatory and compliance requirements. Cryptographic modules used in the Splunk Cloud FedRAMP offering are FIPS 140-2 validated encryption modules. For information about apps validated by FedRAMP, see FedRAMP Moderate and DoD IL5 validated premium solutions and apps.
  • FedRAMP Moderate: Splunk Cloud FedRAMP is authorized by the General Services Administration FedRAMP PMO at the Moderate Impact Level. Splunk Cloud FedRAMP addresses the needs of the U.S. Government, State and Local customers, educational institutions, and commercial customers who seek FedRAMP authorized services, and allows them to run sensitive workloads in the cloud. This subscription is available in the AWS GovCloud region, which is an isolated region designed to address specific regulatory and compliance requirements. Cryptographic modules used in the Splunk Cloud FedRAMP offering are FIPS 140-2 validated encryption modules. For information about apps validated by FedRAMP, see FedRAMP Moderate and DoD IL5 validated premium solutions and apps.
  • Health Insurance Portability and Accountability Act (HIPAA): Splunk Cloud Platform (HIPAA) is compliant with the HIPAA Security Rule and HITECH Breach Notification Requirements. These regulations establish a standard for the security of any entity that accesses, processes, transmits, or stores electronic protected health information (ePHI).
  • Information Security Registered Assessors Program (IRAP): Splunk attests Splunk Cloud Platform against the PROTECT level of the IRAP standard. The IRAP standard allows the Commonwealth of Australia and commercial customers to run sensitive workloads by using an IRAP assessed Splunk Cloud Platform environment in Australia (AWS Sydney region).
  • Payment Card Industry Data Security Standard (PCI DSS): Splunk tests Splunk Cloud Platform for compliance with the PCI DSS v3.2 standard. This standard applies to any entity that processes, transmits, or stores payment card data as well as their critical service providers.

The table lists additional information for regulated cloud environments.

Subscription type Region availability Encryption at rest IP Allow List Certification documents
DoD IL5 GovCloud (US-West and US-East) Enabled by default. Splunk manages the encryption keys on your behalf and they are regularly rotated. You must provide IP allow list rules to access your Splunk Cloud Platform IL5 environment located in the splunkcloudfed.com domain. Contact your Splunk sales representative to learn more about Splunk Cloud Platform IL5.
FedRAMP Moderate GovCloud (US-West and US-East) Enabled by default. Splunk manages the encryption keys on your behalf and they are regularly rotated. You must provide IP allow list rules to access your Splunk Cloud Platform FedRAMP environment located in the splunkcloudgc.com domain. If you are a Federal agency, request the Splunk Cloud Platform FedRAMP package from the FedRAMP Marketplace. Otherwise, contact your Splunk sales representative.
HIPAA All AWS and Google Cloud regions. Enabled by default. Splunk manages the encryption keys on your behalf and they are regularly rotated. If available in your region, you have the option to manage the encryption keys instead. You must provide IP allow list rules to access your Splunk Cloud Platform HIPAA environment. If you require the HIPAA compliance report to review, contact your Splunk sales representative to request a copy.
IRAP AWS Sydney region Enabled by default. Splunk manages the encryption keys on your behalf and they are regularly rotated. Optionally, you can choose to manage the encryption keys. You must provide IP allow list rules to access your Splunk Cloud Platform IRAP environment. If you require the IRAP attestation of compliance to review, contact your Splunk sales representative to request a copy.
PCI DSS All AWS regions except GovCloud (US-West and US-East). All Google Cloud regions. Enabled by default. Splunk manages the encryption keys on your behalf and they are regularly rotated. If available in your region, you have the option to manage the encryption keys instead. You must provide IP allow list rules to access your Splunk Cloud Platform PCI DSS environment. If you require the PCI DSS attestation of compliance to review, contact your Splunk sales representative to request a copy.

Data collection

Splunk Cloud Platform provides software and APIs that enable you to ingest data from your applications, cloud services, servers, network devices, and sensors into the service.

The following sections describe how you can send data to Splunk Cloud Platform.

Using Splunk forwarders

There are two types of forwarder software: universal forwarder and heavy forwarder. In most situations, the universal forwarder is the best forwarder for Splunk Cloud Platform since it includes the essential components that it needs to forward data, uses significantly fewer hardware resources and is inherently scalable. For certain use cases when data needs to be parsed prior to forwarding or data needs to be forwarded based on criteria such as source or type of event, a heavy forwarder is required. Your Splunk Cloud Platform subscription includes a deployment server license for centralized configuration management of your Splunk forwarders. You can request the deployment server license from Splunk support. Setup, enablement, transformation, and sending data from forwarders to your Splunk Cloud Platform environment is your responsibility. This means you are responsible for installing, configuring, and managing your forwarders, including maintaining version compatibility. For more information, see Supported forwarder versions. You are responsible for installing the data collection components of any app you wish to use in Splunk Cloud Platform on a Splunk forwarder.

As part of on-boarding to the service, Splunk will provide you the IP addresses that you will use to send data to Splunk Cloud Platform using forwarders. These IP addresses will remain constant and not change during your subscription period. If you increase your subscription level, you may receive additional IP addresses that you will utilize to send data. In the rare occurrence of an IP address change, Splunk will provide you with advanced notification. Most customers will be required to add these IP addresses to their outbound firewall rules to ensure their data is successfully forwarded to Splunk Cloud Platform. To simplify lifecycle management of your outbound firewall rules, Splunk requires that you use the actual IP addresses provided or the DNS mapping.

For more information about scripted and modular inputs, see Experience designations.

For more information, see Upload Data in the Getting Data In manual.

Using HTTP Event Collector (HEC)

HEC lets you send data and application events using a token-based authentication mode to Splunk Cloud Platform over the Secure HTTP (HTTPS) protocol. You can generate a token and then configure a logging library or HTTPS client with the token to send data to HEC in a specific format. HEC is enabled by default for your Splunk Cloud Platform environment with a 1 MB size limit on the maximum content length. You are responsible for setup, enablement, transformation, and sending data to your Splunk Cloud Platform environment via HEC. You are also responsible for monitoring and remediation of any HEC error codes that are received from Splunk Cloud Platform to ensure no interruption of your data ingestion. For more information, see the following:

Using AWS Kinesis Data Firehose

For Splunk Cloud Platform in AWS regions, there is an additional data collection option. AWS Kinesis Data Firehose is a fully managed, scalable, and serverless option for streaming data from various AWS services directly into Splunk Cloud Platform. Setup, enablement, transformation, and sending data to your Splunk Cloud Platform environment is your responsibility. If you choose to use the Kinesis Data Firehose service for data ingestion, you are responsible for enabling and configuring AWS Kinesis Data Firehose, and for paying AWS for this service. For more information, see Install and configure the Splunk Add-on for Amazon Kinesis Firehose on a Splunk Cloud deployment in the Splunk Add-on for Amazon Kinesis Firehose manual.

Additional information about data collection

Data compression

Forwarders and HTTP Event Collectors compress data when sending over TLS protocol. The amount of compression varies based on the content, generally at a ratio between 8:1 and 12:1.

Encryption in transit

For security, data in transit is TLS 1.2+ encrypted. Senders and receivers authorize each other, and HTTP-based data collection is secured using token-based authentication.

IP allow list

You can restrict data collection from only allowed IP addresses by using the Admin Config Service (ACS). If you do not have access to ACS in your Splunk Cloud Platform region, you can file a support ticket for Splunk to assist you with this task. For more information about ACS, see Configure IP allow lists for Splunk Cloud Platform.

Differences between Splunk Cloud Platform and Splunk Enterprise

Customers who are familiar with Splunk Enterprise architecture should not make assumptions about the architecture or operational aspects of Splunk software deployed in a customer-managed manner compared to the the Splunk Cloud Platform service. The table lists the ways that Splunk Cloud Platform differs from Splunk Enterprise.

Area Difference
Apps To ensure security and minimize effects on performance, only vetted and compatible apps can run on Splunk Cloud Platform. The app browser in Splunk Web or Splunkbase lists vetted and compatible Splunk Cloud Platform apps. You can install some apps directly through the app browser (self-service installation). When an app cannot be self-installed, including for an IDM, you must open a support ticket and Splunk Support will install the app on your behalf.

Your private apps can also be self-service installed. During the private app installation, Splunk automatically validates your private app for Splunk Cloud Platform. Issues identified by automated validation must be remediated. You can install private apps without the need for manual validation and you must acknowledge the Splunk General Terms regarding potential impact of unremedied issues to your Splunk Cloud Platform environment.

Command-line interface (CLI) access Splunk Cloud Platform does not allow direct access to infrastructure by customers. As a result, you do not have CLI access to Splunk Cloud Platform. Any supported task that requires CLI access is performed by the self-service capabilities of Splunk or by filing a service ticket.
Data integrity control Splunk Cloud Platform exclusively leverages SmartStore and SmartStore-enabled indexes are not compatible with the data integrity control feature. Splunk Cloud Platform inherits the Cloud Service Provider (CSP) storage layer integrity characteristics.
Direct TCP, UDP, file, and syslog inputs Splunk Cloud Platform does not accept these types of data directly. For Splunk Cloud Platform to receive data sources such as TCP, UDP, file, and syslog, you must use Splunk forwarder software as an agent to send data to Splunk Cloud Platform. This ensures reliable, managed, fault-tolerant delivery of your data into Splunk Cloud Platform.
Direct TCP, UDP, file, and syslog outputs Splunk Cloud Platform does not accept unencrypted outputs at the search head tier, and does not support outputs of any kind at the indexer tier, including custom search commands, such as cefout (bundled with Splunk App for CEF). This ensures reliable and fault-tolerant performance of your Splunk Cloud Platform environment.
Dynamic Data Active Archive Dynamic Data Active Archive (DDAA) is only available in Splunk Cloud Platform and it is an optional subscription. DDAA offers a lower cost option for long term storage of your ingested data.
Export of your ingested data to Amazon S3 or Google Cloud Storage using Dynamic Data Self-Storage Dynamic Data Self-Storage is only available in Splunk Cloud Platform.
Indexer Discovery and Indexer Acknowledgement Indexer Discovery is not supported in Splunk Cloud Platform. For information about Indexer Acknowledgment, see Experience designations. This applies to both HEC and forwarders.
License pooling and exceeding purchased daily index volume Splunk Cloud Platform does not support licensing pooling. In addition, you can exceed your purchased daily index volume a maximum of five times in a calendar month. For more information, review the data ingestion and daily license usage policy in Data policies in the "Subscription types" section.
Monitoring console The Cloud Monitoring Console (CMC) app is included in your Splunk Cloud Platform environment. CMC replaces the Monitoring Console that is used in Splunk Enterprise. You use CMC to holistically monitor the data consumption and health of your Splunk Cloud Platform environment.
Multifactor authentication While Splunk Enterprise has built-in support for multifactor authentication such as Duo and RSA, Splunk Cloud Platform does not support these methods of authentication. To use multifactor authentication for your Splunk Cloud Platform user accounts, you must configure a SAML v2 identity provider that supports multifactor authentication.
Native alerts Splunk Cloud Platform does not provide system-level access. This means you cannot define alerts that run operating-system scripts or use other system services (although vetted and compatible apps can do so). Alerts can be sent by email or HTTPS POST using Splunk software webhooks. You might be required to set up an endpoint inside your network. If you have both Splunk Enterprise and Splunk Cloud Platform, you can run an on-premises search head to support searches that require alert actions. For more information, see Set up an Adaptive Response relay in the Administer Splunk Enterprise Security Manual.
Real-time search In Splunk Cloud Platform, you open a support ticket to enable real-time search. Note that real-time searches are resource intensive and can impact the overall health and performance of your searches.
REST API Differences in implementation details between Splunk Cloud Platform and Enterprise plus permissions for the sc_admin role impact REST API access. In Splunk Cloud Platform, you open a support ticket to enable REST API access. In addition, Splunk Cloud Platform supports a subset of the REST API endpoints available in Splunk Enterprise. For more information, see Access requirements and limitations for the Splunk Cloud REST API in Splunk Cloud Platform REST API Tutorials.
Scripted and Modular Inputs For more information, see Experience designations.
Search performance Splunk Cloud Platform leverages a multi-tier storage architecture and manages the movement of data to optimize performance based on user search patterns. Generally, recently processed data (recently ingested, searched, analyzed for machine learning, and so on) will have better performance than data that has not been processed for some time. This behavior applies to all data, including metrics data.
sc_admin role For the customer's administrator users, Splunk Cloud Platform provides the sc_admin role, which has sufficient capabilities to administer Splunk Cloud Platform. You can use the Splunk Cloud Platform sc_admin role for your administrator to perform self-service tasks such as installing apps, creating and managing indexes, and managing users and their passwords.
System user roles Your Splunk Cloud Platform environment comes with predefined system roles and system users that are used by Splunk to perform essential monitoring and maintenance activities. You should not delete or modify these system users or roles.
Workload Management Splunk Cloud Platform provides pre-configured workload pools for your use. For details, see Workload Management overview in the Splunk Cloud Platform Admin Manual.

Experience designations

Your Splunk Cloud Platform environment has one of two possible Experience designations: Victoria or Classic. To locate your Splunk Cloud Platform Experience designation in Splunk Web, see Determine your Splunk Cloud Platform Experience in the Splunk Cloud Platform Admin Manual. In the medium term, all customers will move to the Victoria Experience.

Victoria Experience and Classic Experience provide nearly identical capabilities and service limits, with the following exceptions. You can use this list as guidance to ensure the best Splunk Cloud Platform experience. Keep in mind that some limits depend on a combination of configuration, system load, performance, and available resources. Contact your Splunk representative if your requirements are different or exceed what is recommended in this table.

Capability Victoria Experience Classic Experience
HEC Configuration Splunk Web and Admin Config Service (ACS) API Splunk Web and Splunk Cloud Platform Classic endpoints
Hybrid search Not supported. Customers must use federated search. Supported
Index Configuration Splunk Web and Admin Config Service (ACS) API Splunk Web and Splunk Cloud Platform Classic endpoints
Indexer Acknowledgement Enabled by default Not supported
Inputs Data Manager (IDM) Not applicable. See the next row, "Modular and scripted inputs". When you require an app installed on the IDM, open a support ticket and Splunk Support will install the app on your behalf.

For more information about the IDM, see Splunk Cloud Platform features in the Splunk Cloud Platform Admin Manual.

Modular and scripted inputs Modular and scripted inputs can now run directly on the search tier without the additional overhead of a separate IDM instance. Modular and scripted inputs must run on a separate IDM instance or customer-managed heavy forwarder.
Self-Service App Installation Support self-service app installation for public apps available on Splunkbase and also for apps used with premium solutions such as ES and ITSI. Depending on the nature of the Splunkbase apps, you may be able to self-install because they have been marked so, or you may need to open a support ticket to install. For apps used with premium solutions such as ES and ITSI, all app installations are assisted installs.
Service Limits/Active indexes per Splunk Cloud Platform environment 1000 400
Service Limits/Enterprise Security Correlation Searches 200 60
Service Limits/Enterprise Security Data Models 20 9
Service Limits/Enterprise Security Maximum Search Concurrency 114 78
Service Limits/Enterprise Security Saved Searches 200 70
Storage: Customer-managed encryption keys Not currently available Available

If your environment was deployed on the Classic Experience, you will be converted to the Victoria Experience when Splunk determines you have satisfied the readiness prerequisites. The conversion is initiated by Splunk and does not require any engagement with Splunk Professional Services.

FedRAMP Moderate and DoD IL5 validated premium solutions and apps

Splunkbase is the system of record for app vetting and compatibility with Splunk Cloud Platform. Any app that is listed as compatible with Splunk Cloud Platform can be installed, inclusive of FedRAMP Moderate and DoD IL5. The following premium solutions and apps have been validated to operate in compliance with FedRAMP Moderate and DoD IL5. Other premium solution subscriptions not listed have not been deemed applicable to Splunk Cloud FedRAMP Moderate and DoD IL5. Deploying unvalidated premium solutions may impact the compliance of the Splunk Cloud FedRAMP and DoD IL5 environment. For other apps that fall outside of these criteria you accept the responsibility and associated risk posture.

Type Name Splunkbase ID
Premium solutions (requires subscription)
Splunk Enterprise Security (ES)

Splunk IT Service Intelligence (ITSI)
Splunk App for PCI Compliance

263

1841
2897

Apps and add-ons Splunkbase has the most up to date list of FedRAMP Moderate and DoD IL5 validated apps and add-ons. To review the list, see https://splunkbase.splunk.com/apps/#/validation/fedramp_validation N/A

Ingestion

The amount of data that your Splunk Cloud Platform environment can collect daily is determined by your subscription type. A workload-based subscription is sized for resource capacity and does not meter ingestion. An ingest-based subscription meters ingestion to your subscription entitlement and you can always choose a higher-level ingest-based subscription to increase the amount of data that you can collect. You can see current and past daily data ingestion information using the Cloud Monitoring Console (CMC) app that is included with your Splunk Cloud Platform environment. If you consistently exceed your subscription entitlement, contact Splunk Sales to purchase an appropriate ingest-based subscription plan to handle your volume.

During ingestion, Splunk Cloud Platform indexes incoming data so you can search it. During indexing, data is partitioned into logical indexes, which you can configure to facilitate searching and control users' access to data. Splunk Cloud Platform allows you to self-service manage your indexes across multiple tasks such as the following:

  • Creating, updating, deleting, and viewing properties of indexes
  • Modifying the retention settings for individual indexes
  • Deleting data from indexes
  • Optimizing search performance by managing the number of indexes and the data sources that are stored in specific indexes

See also

For more information about See
Limits on data collection Data policies in the Subscription types section
Best practices for creating indexes Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin Manual
Service limits relating to indexes Splunk Cloud Platform service limits and constraints

Maintenance

Splunk manages and updates the Splunk Cloud Platform service uniformly, so all customers of Splunk Cloud Platform receive the most current features and functionality. This section describes the maintenance responsibilities handled by Splunk or you, the customer.

Splunk maintenance responsibilities

The following sections describe the maintenance responsibilities and tasks that Splunk does on your behalf.

Gets you started

When you first subscribe to Splunk Cloud Platform, Splunk sends you a welcome email containing the information required for you to access your Splunk Cloud Platform deployment and get started. This email contains a lot of important details, so keep it handy.

Assists you with supported tasks

Splunk Cloud Platform enables you to customize user, index, and app management through Splunk Web. However, there are features in Splunk Cloud Platform that require assistance from Splunk to activate or make changes to your configurations, such as real-time search and enabling AWS Kinesis Data Firehose data to be received. When you file a support ticket, Splunk will enable such features on your behalf. For these types of customer-initiated changes, it is performed per customer necessity and the customer contact in the Support Case will receive notice of customer-initiated changes once the work is scheduled. During these types of customer-initiated changes, ingest and search services are available but degraded. In most cases, login will be impacted for no more than 10 minutes. You will receive email notices when such maintenance is starting and when it is complete.

Upgrades and expands your subscriptions

By default, you will receive the current version of Splunk Cloud Platform and a compatible version of any Premium App subscriptions through Splunk-initiated Service Updates. See Current Splunk Cloud Platform and Premium App versions in the Supported versions section of this service description. If you are on a prior version of Splunk Cloud Platform and Premium App subscriptions, you will be upgraded when Splunk determines you have satisfied the Service Update readiness prerequisites or to maintain version compatibility. To ensure efficiency and agility, you will be assigned to an upgrade cohort and as Splunk releases new versions of Splunk Cloud Platform and Premium Apps, your cohort will be notified by Splunk of the upcoming maintenance window.

Note the following operational information regarding Splunk-initiated maintenance windows:

  • There is a monthly Service Update when we deliver the latest features set for our customers and users and a monthly Routine Maintenance for non-feature related enhancements.
  • You are assigned a week and day slot for your maintenance windows. If your assigned maintenance window is not preferred, Splunk provides the flexibility for you to change your maintenance window to an alternate week and day slot up to 72 hours in advance of your assigned window. If changed, your new window will be used for upcoming Service Update and Routine Maintenance.
  • Splunk will notify your Operational Contacts at least 14 days in advance for Service Updates and Routine Maintenance. Operational Contacts will not receive maintenance window start and stop communications.
  • Our communications will provide specifics whether any service will be degraded or unavailable plus updates to data ingestion mechanisms and applications required to be performed by you. In certain maintenance situations, data egress of Dynamic Data Self-Storage will be paused during the maintenance window.
  • If your Service Update or Routine Maintenance window extends, Splunk will notify you of the extension.
  • Splunk will make commercially reasonable efforts to notify your Operational Contacts in the rare occurrence of an unscheduled Emergency Maintenance. Our communications will provide specifics whether any customer action such as updates to data ingestion mechanisms and applications is required.

In addition, we will enhance Splunk Cloud Platform on your behalf, such as increasing the amount of your daily ingestion, adding storage, enabling Premium App subscriptions and Encryption at Rest.

Ensures Splunk Cloud Platform uptime and security

Splunk continuously monitors the status of your Splunk Cloud Platform environment to ensure uptime and availability. We look at various health and performance variables such as the ability to log in, ingest data, access Splunk Web and perform searches. Splunk maintains the following:

  • A rolling 30-day history of health and utilization data to help ensure uptime and assist troubleshooting of your Splunk Cloud Platform.
  • A rolling 7-day daily backup of your ingested data and configuration files to ensure data durability.
  • The encryption keys when you purchase an encryption at rest subscription. See the Data retention section in Storage.

See also the information in the Users and Authentication section regarding the Splunk Admin and system user roles, and the certification of Splunk Cloud Platform by independent third-party auditors to meet SOC2 Type II and ISO 27001 security standards.

Your maintenance responsibilities

The following section describes your maintenance responsibilities and tasks.

Keep Operational Contacts up-to-date

Ensure that the Operational Contacts listed in your Splunk.com support portal are accurate and updated as necessary. Operational Contacts are notified when your Splunk Cloud Platform environment undergoes maintenance, requires configuration awareness, or experiences a performance-impacting event. These contacts will receive regular notifications of planned and unplanned downtime, including scheduled maintenance window alerts and email updates related to incident-triggered cases.

For more information, see the Splunk Cloud Service Maintenance Policy in the Service terms and polices section.

Review Splunk Cloud Platform documentation

Splunk will notify your Operational Contacts at least 14 days in advance for Service Updates and Routine Maintenance. To ensure your Splunk Cloud Platform environment and your team are ready, review the following sections in the Splunk Cloud Platform Release Notes prior to the maintenance:

Network connectivity and data transfer

You access your Splunk Cloud Platform environment via public endpoints, except for DoD IL5 environments. By default, for both Splunk Web access and sending your data, traffic from your network is encrypted, sent over the public internet and then routed to your Splunk Cloud Platform environment in a Virtual Private Cloud (VPC). If you choose to use private connectivity instead of the public internet to access Splunk Web and send your data, you are responsible for ensuring connectivity between your users or data sources and the Splunk Cloud Platform public endpoints. These public endpoints are protected using firewall rules and customers can also specify additional access control rules using their IP allow list. See the Splunk Cloud Platform service limits and constraints section for the maximum number of customer-defined rules.

You can restrict data collection from only allowed IP addresses by using the Admin Config Service (ACS). If you do not have access to ACS in your Splunk Cloud Platform region, you can file a support ticket for Splunk to assist you with this task. For more information about ACS, see Configure IP allow list for Splunk Cloud Platform. For any regulated Splunk Cloud Platform environments such as HIPAA and PCI DSS, you must specify at least one address for the IP allow list.

In addition, forwarders and HTTP Event Collectors compress data when sending over TLS protocol. The amount of compression varies based on the content. For bandwidth planning, assume a compression ratio between 8:1 and 12:1.

If you are using optional AWS and Google Cloud services or resources for private connectivity to reduce your overall network costs and increase bandwidth throughput, such as Dynamic Data Self-Storage to export your aged ingested data to your Amazon S3 or Google Cloud Storage account or AWS Kinesis Data Firehose service for data ingestion, note the following:

  • You are responsible for setup, configuration, and operation of these optional AWS and Google Cloud services and resources, and any associated payments to AWS and Google Cloud.
  • You are responsible for ensuring connectivity between your users or data sources and the Splunk Cloud Platform public endpoints. Splunk Cloud Platform also does not provide a virtual gateway for data ingestion purposes.
  • These optional AWS and Google Cloud services or resources may not be available in all Splunk Cloud Platform regions. See Available regions and region differences for the regions Splunk Cloud Platform supports and also refer to the respective AWS and Google Cloud documentation for more information.

Performance considerations

Splunk Cloud Platform workload-based subscription provisions the Splunk Virtual Compute (SVC) entitlement of your subscription level. Workload-based subscriptions do not meter ingestion. You can increase ingest and/or search load and operate the service to your desired performance objective until the SVC entitlement of your subscription reaches full utilization. As necessary, you can purchase additional SVC to increase ingest and search load or to improve performance.

Splunk Cloud Platform ingest-based subscription plan is provisioned with adequate compute capacity. Because search workloads can vary considerably, subscription plans with peak daily ingest of 1000 GB and greater are guaranteed allocation of Splunk Virtual Compute as defined below.

A Splunk Virtual Compute (SVC) is a unit of capabilities in Splunk Cloud Platform that includes compute, memory, and I/O resources. SVCs are allocated to your subscription plan based on your average daily ingest-based subscription, up to the maximum of 1 SVC for every 10 GB of licensed peak daily ingest. Purchase of Splunk Enterprise Security (ES) Premium Solution provides incremental SVC allocation of 1 SVC for every 20 GB of licensed peak daily ingest. Purchase of Splunk IT Service Intelligence (ITSI) Premium Solution provides incremental SVC allocation of 1 SVC for every 20 GB of licensed peak daily ingest. The ratio of allocated SVC to licensed peak daily ingest level is subject to change with the evolving infrastructure and architecture of the service. Splunk Cloud Platform establishes SVC performance using a Splunk Search Benchmark to ensure that new ratios continue to provide the same or better levels of performance.

Search

Splunk Cloud Platform allows you to search and navigate all of the machine data that you ingest into the service. Searches can be done using the Splunk Search Processing Language (SPL), or using alternative ways to display and analyze data graphically without composing SPL queries. Searches can be ad hoc and scheduled, with results in the form of visualizations, reports, and alerts.

If you enable Dynamic Data Self-Storage to export your aged ingested data prior to deletion, any data moved from these indexes to your AWS S3 or Google Cloud Storage account will no longer be searchable by Splunk Cloud Platform. If you augment Splunk Cloud Platform with Dynamic Data Active Archive (DDAA), restored DDAA data is searchable within 24 hours of it being restored and is searchable for up to 30 days.

In Splunk Cloud Platform, you open a support ticket to enable real-time search. Note that real-time searches are resource-intensive and can impact the overall health and performance of your searches.

You can review the health and performance of your search using the Cloud Monitoring Console (CMC) app that is included in your Splunk Cloud Platform environment. CMC shows information such as long running searches, skipped scheduled searches, and average search run time.

Splunk Cloud Platform has service limits related to search, such as the maximum number of concurrent searches. This service limit and others are listed in the Splunk Cloud Platform service limits and constraints section.

See also the note about federated search limitations in Compliance and certifications and Experience designations.

Hybrid search

To examine data in Splunk Cloud Platform and your on-premises deployment of Splunk Enterprise in a single search, you can configure a Splunk Enterprise search head to connect to a Splunk Cloud Platform indexer cluster. This configuration is called hybrid search.

The table lists the conditions and limitations that apply to hybrid search.

Category Supported Limitation
Hybrid Search Head Architecture Single hybrid Search Head for ad hoc searches. Splunk Cloud Platform does not support hybrid search head cluster configurations of any kind.
Hybrid Search Topology You can initiate searches from an on-premises Splunk Enterprise search head to a single Splunk Cloud Platform deployment.

You cannot initiate searches from an on-premises Splunk Enterprise search head to multiple Splunk Cloud Platform environments.

You cannot install a Splunk Premium Solution on a hybrid search head. However, you can run a hybrid search against a Splunk Cloud Platform environment that includes a premium solution, as long as the hybrid search head running the hybrid search complies with all necessary conditions and limitations. For more information about optional and compatible premium solutions that you can add to your subscription, see Splunk premium solutions.

You cannot initiate searches from a Splunk Cloud Platform search head to an on-premises Splunk Enterprise environment.

You cannot initiate searches from a Splunk Cloud Platform search head to another Splunk Cloud Platform environment.

Premium Solution Hybrid search is not available for use with any Splunk premium solution. For a list of available premium solutions, see Splunk premium solutions.
Search Concurrency Your Splunk Cloud Platform search concurrency limits apply to searches initiated either from the Cloud search tier or from on-premises hybrid search heads. For more information, see Splunk Cloud Platform service limits and constraints.
Search Types Ad hoc search is supported. Scheduled search is not supported from a hybrid search head. If a scheduled search is enabled and deemed to be causing performance issues, the remediation is to disable schedule search.
Splunk Version Compatibility See Supported hybrid search versions in the Supported versions section.

Federated search

Federated search is a new capability that is distinct from hybrid search. The table lists conditions and limitations that apply to federated search. For more information, see About federated search in the Splunk Cloud Platform Search Manual.

The table lists the conditions and limitations that apply to federated search.

Category Supported Limitation
Compliance Splunk Cloud Platform SOC2 environments are supported.

Splunk Cloud Platform HIPAA, IRAP, and PCI DSS and environments are supported.

FedRAMP Moderate and DoD IL5 are not currently supported.
Federated Provider Mode Standard mode is enabled by default.

Transparent mode is enabled by default in 8.2.2109.

Federated Search Topology You can initiate searches from a Splunk Cloud Platform environment to one or more Splunk Cloud Platform environments.

You can initiate searches from a Splunk Enterprise environment to a single or multiple Splunk Cloud Platform environments.

You can initiate searches from a Splunk Cloud Platform environment to a Splunk Enterprise environment.

Region Support Search between AWS regions is supported, excluding GovCloud regions.

Search between Google Cloud regions is supported.

Search from on-premises to AWS regions is supported, excluding GovCloud regions.

Search from on-premises to Google Cloud regions is supported.

Search between AWS and Google Cloud regions is not currently supported.

Search Concurrency Your Splunk Cloud Platform search concurrency limits apply to searches initiated either from the local or remote Splunk Cloud Platform search tier. For more information, see Splunk Cloud Platform service limits and constraints.
Search Tier Architecture Any combination of search tier architecture is supported.
Search Types Ad hoc and scheduled searches are supported.

datamodel and tstats are supported with transparent mode and supported in standard mode when you are searching a federated index that is mapped to a data model dataset.

Splunk Cloud Platform and Splunk Enterprise

Version Compatibility

For Cloud to Cloud in AWS regions: Splunk Cloud Platform 8.1.2103 or later.

For on-premises to Cloud in AWS regions: Splunk Enterprise 8.2 or later and Splunk Cloud Platform 8.2.2104 or later.

For Google Cloud, HIPAA, PCI, and IRAP: Splunk Cloud Platform 8.2.2203 or later. In addition, for Cloud to on-premises: Splunk Enterprise 9.0 or later.

See also

For more information about See
Splunk Search Processing Language Get started with Search in the Splunk Cloud Platform Search Manual
Dynamic Data Active Archive Store expired Splunk Cloud Platform data to a Splunk-managed archive
Dynamic Data Self-Storage Store expired Splunk Cloud Platform data to your private archive
Cloud Monitoring Console Monitor your Splunk Cloud Platform Deployment in the Splunk Cloud Platform Admin Manual
Hybrid search Configure hybrid search in the Splunk Cloud Platform Admin Manual

Security

The security and privacy of your data is of the utmost importance to you and your organization, and Splunk makes this a top priority. Splunk Cloud Platform service is designed and delivered using key security controls described in the following sections.

App security

All Splunk apps hosted on Splunk Cloud Platform by Splunk are examined by Splunk engineers to ensure that they comply with the Vet apps and add-ons for Splunk Cloud Platform. Splunk Cloud Platform vetting provides a set of best practices for app developers. For details about how to submit an app for evaluation for Splunk Cloud Platform readiness, see the Splunk Developer web page.

Data encryption

All data in transit to and from Splunk Cloud Platform is TLS 1.2+ encrypted. To encrypt data at rest, you can purchase AES 256-bit encryption for an additional charge. Keys are rotated regularly and monitored continuously.

Data handling

You can store your data in one of the available AWS or GCP regions. See Available regions and region differences for global regions supported in the Splunk Cloud Platform service.

Data is kept in the region you choose. If you need to store your data in more than one region, you can purchase multiple subscriptions. Data is retained in Splunk Cloud Platform according to the volumes, durations, and index configurations you set. Expired data is deleted based on your pre-determined schedule.

For the purposes of disaster recovery, your configuration and recently-ingested data is backed up on a rolling seven-day window. If you require your ingested data to be moved into your control before the termination of your subscription, this is accomplished through a Splunk Professional Services engagement. Some data can be moved into your control by enabling Dynamic Data Self-Storage to export your aged data to your Amazon S3 or Google Cloud Storage account in the same region. Note that Dynamic Data Self-Storage does not export your configuration data. Depending on the amount of data and the work involved, we may charge for this service. For more information on Splunk Cloud Platform data management, see Review Splunk Cloud Platform data policies and also Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin Manual.

Instance security

Every Splunk Cloud Platform deployment runs in a secured environment on a stable operating system and in a network that is hardened to industry standards using a default-deny firewall policy, which permits access only to specific IP addresses and services. Your deployment is regularly scanned for host- and application-level threats.

Isolation of data and service

In the cloud, your data is logically isolated from other customers' data, so your performance and data integrity cannot be affected by other customers who are using the Splunk Cloud Platform service.

Security controls and background screening

Splunk security controls are described in our most recent Service Organization Control II, Type II Report (SOC 2/Type 2 Report). For more information about regions for which Splunk does not have SOC2 controls in place, see the Splunk Cloud Platform Security Addendum. Splunk conducts criminal background checks on its employees prior to hire, as permitted by law.

User authentication and access

You can configure authentication using Lightweight Directory Access Protocol (LDAP), Active Directory (AD), and single sign-on using any SAML v2 identity provider. To control what your Splunk Cloud Platform users can do, you assign them roles that have a defined set of specific capabilities. Splunk Cloud Platform enables you to configure account policies that require unique user names, minimum password length, and regular password resets with supported SAML v2 identify providers and LDAP. To enable multifactor authentication, customers must configure a SAML v2 identity provider that supports multifactor authentication. Only SHA-256 signatures in the SAML message between your IdP and Splunk Cloud Platform are supported.

See also

For more information about See
Splunk data privacy, security and compliance Splunk Protects
Availability of service components between the AWS and Google Cloud regions Region differences

Self-service capabilities

The table lists common Splunk Cloud Platform self-service tasks. For more information regarding these self-service tasks, refer to the respective Splunk Cloud Platform manual.

Area Example tasks Interface
Data Collection Forwarder Management

HEC Configuration

Splunk Web

Admin Config Service
Splunk Web

Health Monitoring Search performance

Active users
Ingestion volume

Cloud Monitoring Console
Ingestion Index Management Admin Config Service

Splunk Web

Network Connectivity and Data Transfer IP Allow List management


Outbound port management

Export expired data

Admin Config Service

Splunk Web

Admin Config Service

Splunk Web

Search Search Configuration

Workload Management

Search Concurrency Limits

Splunk Web

Splunk Web

Splunk Web

Splunkbase and private app Installation and updates Admin Config Service

Splunk Web

Subscription entitlement and usage monitoring Splunk Virtual Compute (SVC) usage

Active Searchable and Active Archive storage usage

Cloud Monitoring Console
Users and Authentication Manage user and roles

Configure central authentication

Manage authentication tokens

Splunk Web


Admin Config Service

Service level agreement

Splunk provides an uptime SLA for Splunk Cloud Platform and will use commercially reasonable efforts to make the Services available. You will receive service credits in the event of SLA failures, as set forth in our current SLA schedule. As Splunk Cloud Platform is offered uniformly across all customers, the SLA cannot be modified on a customer by customer basis.

Splunk Cloud Platform is considered available if you are able to log into your Splunk Cloud Platform Service account and initiate a search using Splunk Software. Splunk continuously monitors the status of each Splunk Cloud Platform environment to ensure the SLA. In addition, Splunk Cloud Platform monitors several additional health and performance variables, including but not limited to the following:

  • Ability to log into Splunk Cloud Platform (non-SAML)
  • Ability to access Splunk Web
  • Ability to access a Splunk REST API endpoint
  • Ability to perform searches against an internal Splunk index
  • Ability to ingest data cluster wide
  • Presence of unsupported configurations

Splunk adds predefined system users and system roles to all Splunk Cloud Platform environments. Splunk leverages system users or roles to perform essential monitoring and maintenance activities in Splunk Cloud Platform environments. Customers are advised to not delete or edit system users or roles because they are essential to perform monitoring and maintenance activities in Splunk Cloud Platform environments.

See also

For more information about See
Scripted and modular inputs Experience designations
Splunk Cloud Platform system users Manage Splunk Cloud Platform users and roles in the Splunk Cloud Platform Admin Manual
SLA for Splunk Cloud Platform Splunk Cloud Service - Service Level Schedule

Service limits and constraints

The following are Splunk Cloud Platform service limits and constraints. These service limits may vary based on your Splunk Cloud Platform subscription. You can use this list as guidance to ensure the best Splunk Cloud Platform experience. Keep in mind that some limits depend on a combination of configuration, system load, performance, and available resources. Unless noted, the service limit is identical for both Classic and Victoria experience designations. Contact Splunk if your requirements are different or exceed what is recommended in this table.

Splunk Cloud Platform service limits and constraints

Category Service component Limitation Additional information
Apps Private apps 250 This is the maximum tested limit for the self-service private app management. If you exceed this soft service limit, you may experience issues with performing self-service app management.
Data Collection HEC maximum content length size limit 1 MB There is a recommended limit to the HEC payload size in Splunk Cloud Platform to ensure data balance and ingestion fidelity. A HEC request can have one or more Splunk events batched into it but the payload size should be no larger than this limit. If you exceed this limit, you may experience performance issues related to data balance and ingestion fidelity.
Data Egress Dynamic Data Self-Storage export of aged data per index from Splunk Cloud Platform to Amazon S3 or Google Cloud Storage No limit to the amount of data that can be exported from your indexes to your Amazon S3 or Google Cloud Storage account in the same region. Dynamic Data Self-Storage is designed to export 1 TB of data per hour.
Data Egress Search results via UI or REST API Recommend no more than 5% of ingested data For optimal performance, no single query, or all queries in aggregate over the day from the UI or REST API, should return full results of more than 5% of ingested daily volume. To route data to multiple locations, consider solutions like AWS Kinesis Data Firehose.
Data Egress Search results to Splunk User Behavior Analytics (UBA) No limit Data as a result of search queries to feed into Splunk User Behavior Analytics (UBA).
Email notifications Maximum number of email recipients 50 This is a hard limit of the Splunk Cloud Platform email relay service. Use an email distribution list to increase the number of email recipients.
Email notifications Maximum email attachment size 10 MB This is a hard limit of the Splunk Cloud Platform email relay service.
Ingestion Maximum active indexes per Splunk Cloud Platform environment See "Service Limits/Active indexes per Splunk Cloud Platform environment" in the Experiences designation table. This is the maximum tested limit to the number of active indexes per Splunk Cloud Platform environment. Note there are different service limits for Victoria and Classic experiences. The best practice is to maintain no more than the maximum tested limit of active indexes for each Splunk Cloud Platform environment.
KV Store Maximum collection size 25 GB This is the maximum size of a single collection that is tested with KV Store per Splunk Cloud Platform environment.
KV Store Total maximum size 100 GB This is the total maximum recommended size of KV Store across all collections per Splunk Cloud Platform environment.
Other Splunk Cloud Platform ID For AWS regions, a minimum of 2 characters and a maximum of 22 characters. Any lowercase letter from the alphabet, any number from 0 to 9, and the hyphen character are allowed. All other ASCII characters are not allowed.

For Google Cloud regions, a minimum of 4 characters and a maximum of 22 characters. The ID must start with a letter. Any lowercase letter from the alphabet, any number from 0 to 9, and the hyphen character are allowed. All other ASCII characters are not allowed.

Unique Splunk Cloud Platform name chosen by you that determines your URL at [Splunk Cloud Platform ID].splunkcloud.com or [Splunk Cloud Platform ID].splunkcloudgc.com

Splunk has discretion to decline a submitted Splunk Cloud Platform ID and can request that an alternative be selected.

Search Federated search 5 This is the maximum tested limit for the number of Splunk Cloud Platform and Splunk Enterprise local deployments used with federated search. If you exceed this soft service limit, you may experience issues with performing federated search.
Search join command for subsearch 50,000 The join command combines the results of a subsearch with the results of a main search. This limit is the maximum number of result rows in the output of a subsearch that can be joined against a main search. For more information, see the join command in the Splunk Cloud Platform Search Reference.
Search Knowledge Bundle replication size 3 GB This is the hard limit of the maximum Knowledge Bundle replication size. If the Knowledge Bundle exceeds this service limit, the search tier will not push the bundle to the indexer tier. Searches on the indexer tier will instead use the previously pushed bundle, which will be within the size limit.
Search Maximum search concurrency per Splunk Cloud Platform environment 390 This is the standard limit to the number of ad hoc and scheduled searches that Splunk Cloud Platform environment can concurrently admit as tracked in metrics.log. Search concurrency limits apply to searches initiated either from the Cloud search tier or from on-premises hybrid and federated search heads.

If you require search concurrency beyond the standard limit, you may be able to do so through optimizing your existing search workload or by contacting your Splunk sales representative to increase your SVC entitlement. For more information on setting percentages of concurrency for scheduled and summarization searches, see Configure Search Settings in Splunk Cloud Platform.

Search Search concurrency per Premium Solution listed below:
  • Splunk App for Microsoft Exchange
  • Splunk App for VMware
38 When you add these Premium Apps subscriptions to Splunk Cloud Platform, additional search processes are available for each Premium App. These search processes are exclusive to the Premium Solution subscription.
Search Scheduled search 700,000 searches/day This is the maximum tested limit of scheduled searches that can be scheduled successfully. This limit applies to customers with workload subscription entitlement of less than 166 SVC or an ingest subscription entitlement of 1 TB or less.

If you exceed this soft service limit, you may experience issues with scheduled search completion. Note that other factors such as search concurrency limit or the nature of searches may additionally limit the number of successful scheduled searches that run.

Search Scheduled search 1.5 M searches/day This is the maximum tested limit of scheduled searches that can be scheduled successfully. This limit applies to customers with workload subscription entitlement of 166 SVC and higher or an ingest subscription entitlement of more than 1 TB.

If you exceed this soft service limit, you may experience issues with scheduled search completion. Note that other factors such as search concurrency limit or the nature of searches may additionally limit the number of successful scheduled searches that run.

Security IP allow list address rules per Splunk Cloud Platform environment in AWS regions 230 This is the aggregate hard limit of the IP allow list groups for the Splunk Cloud Platform service. For example, the service limit is the aggregate of the IP allow list for collecting data and for sending search queries. Customers specify the IP address or IP address range that is permitted to access Splunk Cloud Platform and those from which Splunk Cloud Platform can collect data (forwarders and HEC) and send search queries. These are generically referred to as IP allow list rules. These rules can be configured to use CIDR blocks to maximize the IP allow list coverage.
Security IP allow list address rules per Splunk Cloud Platform environment in Google Cloud regions 250 This is the hard limit per IP allow list group. For example, the IP allow list service limit for collecting data is separate from sending search queries. Customers specify the IP address or IP address range that is permitted to access Splunk Cloud Platform and those from which Splunk Cloud Platform can collect data (forwarders and HEC) and send search queries. These are generically referred to as IP allow list rules. These rules can be configured to use CIDR blocks to maximize the IP allow list coverage.
Workload Management Workload Rules 100 You can configure up to 100 Workload Rules.

Enterprise Security service limits and constraints

Category Service component Limitation Additional information
Enterprise Security Automatic Lookups For Enterprise Security's Assets & Identities Automatic Lookups, you must select which sourcetypes to apply the lookup to. Globally configured automatic lookups for A&I are not supported. Assets & Identities lookups are used to enrich your raw and notable events. Due to the additional impact it has on search runtimes, we recommend automatically applying those lookups only on the sourcetypes needed. For more information on A&I lookup configuration, see Manage correlation setup in Splunk Enterprise Setup.
Enterprise Security Correlation Searches See "Service Limits/Enterprise Security Correlation Searches" in the Experiences designation table. This was the limit tested for Enterprise Security on Splunk Cloud Platform. Note that there are different service limits for the Victoria and Classic experiences. A correlation search is a type of scheduled search. Correlation searches are a part of Enterprise Security, and are used to generate notable events or execute other adaptive response actions. If your use case exceeds the tested limit and is deemed to be causing performance issues, the remediation is to change the configured limit to no more than the tested limit. See Correlation search overview for Splunk Enterprise Security.
Enterprise Security Data Models See "Service Limits/Enterprise Security Data Models" in the Experience designations table. This was the limit tested for Enterprise Security on Splunk Cloud Platform. Note that there are different service limits for the Victoria and Classic experiences. Data models and data model acceleration are critical components of Enterprise Security. To provide the best experience possible for customers, we suggest a maximum of 9 accelerated models. The most common data models deployed are: Change, Endpoint, Authentication, Intrusion Detection, Network Sessions, Network Resolution, Network Traffic, Web, and Performance. If your use case exceeds the tested limit and is deemed to be causing performance issues, the remediation is to change the configured limit to no more than the tested limit. See Configure data models for Splunk Enterprise Security.
Enterprise Security Maximum ES search concurrency per Splunk Cloud Platform environment See "Service Limits/Enterprise Security Search Concurrency" in the Experiences designation table. When you add an Enterprise Security subscription to Splunk Cloud Platform, additional search processes are available for it that are in addition to the search concurrency included in the Splunk Cloud Platform subscription. This is the standard limit to the number of searches that Enterprise Security can concurrently admit as tracked in metrics.log. If you require ES search concurrency beyond the standard limit, you may be able to do so through optimizing your existing search workload or by contacting your Splunk sales representative to increase your SVC entitlement.
Enterprise Security Saved Searches See "Service Limits/Enterprise Security Saved Searches" in the Experience designations table. This was the limit tested for Enterprise Security on Splunk Cloud Platform. Note that there are different service limits for the Victoria and Classic experiences. Saved Searches refer to any scheduled searches that run on the ES search tier. Enterprise Security on Splunk Cloud Platform uses saved searches for a variety of use-cases, such as search-driven lookups. Overall ES performance can vary based on search schedule, timespan, and search string. If your use case exceeds the tested limit and is deemed to be causing performance issues, the remediation is to change the configured limit to no more than the tested limit. See Create and manage search-driven lookups in Splunk Enterprise Security.
Search Scheduled Search 700,000 searches/day This is the maximum tested limit of scheduled searches that can be scheduled successfully.

If you exceed this soft service limit, you may experience issues with scheduled search completion. Note that other factors such as search concurrency limit or the nature of searches may additionally limit the number of successful scheduled searches that run.

IT Service Intelligence service limits and constraints

Category Service component Limitation Additional information
Search Total Search Concurrency 150 When you add an IT Service Intelligence subscription to Splunk Cloud Platform, additional search processes are available for it. This starting point scales up at higher ingestion rates and also for workload-based subscriptions.
Event Analytics Alert Ingestion 10,000 alerts per minute You can ingest up to 10,000 alerts per minute into Event Analytics with your Correlation Searches.
Event Analytics Correlation Searches 15 You can configure up to 15 Correlation Searches.
Event Analytics Notable Event Aggregation Policies 15 You can configure up to 15 Notable Event Aggregation Policies.
Search Scheduled Search 700,000 searches per day This is the maximum tested limit of scheduled searches that can be scheduled successfully.

If you exceed this soft service limit, you may experience issues with scheduled search completion. Note that other factors such as search concurrency limit or the nature of searches may additionally limit the number of successful scheduled searches that run.

Service Insights Service Templates 500 Services per Service Template You can configure up to 500 Services per Service Template and with a limit of 5000 services total.

Splunk premium solutions

You can optionally purchase Splunk apps and premium solutions subscriptions on Splunk Cloud Platform. As part of the subscription, the Splunk Cloud Platform environment is enhanced to support the premium solution. Splunk will install the premium solution on your behalf and will also upgrade the premium solution when a new version is vetted for Splunk Cloud Platform. Multiple premium solution subscriptions can run concurrently on the same Splunk Cloud Platform environment. Any customization of the premium solution can be done by you or through a Splunk Professional Services engagement. Splunk support will not be able to assist in tailoring the premium solution to your use case. The following premium solution subscriptions are available for Splunk Cloud Platform:

  • Splunk Enterprise Security (ES)
  • Splunk IT Service Intelligence (ITSI)
  • Splunk App for PCI Compliance

End of Sale has been announced for Splunk App for Microsoft Exchange and Splunk App for VMware. Existing Splunk App for Microsoft Exchange and Splunk App for VMware subscribers will continue to be supported.

Machine Learning Tool Kit (MLTK) is compatible with Splunk Cloud Platform and supports a variety of use cases. Depending on the use case and algorithm used, the MLTK app can be compute intensive. Splunk recommends that you consult with your Splunk technical resource and MLTK documentation prior to installing the MLTK App on Splunk Cloud Platform. In addition, Splunk recommends adding the ML-SPL Performance App for the Machine Learning Toolkit to ensure you know the resource utilization impact of MLTK. These steps ensure the MLTK best practices are implemented on Splunk Cloud Platform.

The following premium solutions are compatible with Splunk Cloud Platform but no subscription is available on Splunk Cloud Platform. Installation and configuration of these premium solutions can be done by you or through a Splunk Professional Services engagement. Splunk support will not be able to assist with installation and configuration of the following premium solutions as part of your Splunk Cloud Platform subscription:

For more information on these Splunk premium solutions, contact your Splunk sales representative.

Splunkbase and private apps

Apps and add-ons include features and functionality ranging from the simplification of data ingest to unique and valuable visualizations. To ensure security and minimize effects on performance, only vetted and compatible apps can run on Splunk Cloud Platform. Note the following:

  • Splunkbase is the system of record for app vetting and compatibility with Splunk Cloud Platform. Any app that is listed as compatible with Splunk Cloud Platform can be installed, inclusive of FedRAMP Moderate and DoD IL5.
  • For FedRAMP Moderate and DoD IL5, Splunk's scope of responsibility for apps and add-ons pertains only to apps that meet all the following criteria:
    • Splunk Authored
    • Splunk Supported
    • Splunk Cloud Platform Compatible
  • Splunk provides support and maintenance for Splunk Supported Apps. In addition, Splunk Cloud Platform ensures compatibility for any installed Splunk Supported Apps before commencing Splunk Cloud Platform upgrades.
  • Splunk does not provide support or maintenance for apps published by any third-party developers. For any Developer Supported or Not Supported Apps, you need to ensure compatibility with Splunk Cloud Platform.
  • Compatibility of Developer Supported or Not Supported Apps is asserted by the developers of those apps. Splunk does not perform compatibility testing of third-party apps with specific versions of Splunk Cloud Platform.
  • Splunk support will not be able to assist in tailoring the Splunkbase apps to your use case. For apps that grant you the license to customize, you will need to perform the customization yourself or through a Splunk Professional Services engagement.

For more information, see the following:

Apps that are Splunk Cloud Platform vetted and compatible are listed in either the app browser in Splunk Web or through Splunkbase. For more information about self-service app installation, see Experience designations.

Splunk Secure Gateway is included in Splunk Cloud Platform, except for FedRAMP Moderate and DoD IL5. Splunk Secure Gateway lets you configure your Connected Experiences mobile app deployment and register devices to Splunk Cloud Platform environments. For more information, see the Splunk Secure Gateway documentation.

Apps you create to support your business needs are called private apps and these apps can also be self-service installed on Splunk Cloud Platform. During the private app installation, Splunk will automatically validate your app for Splunk Cloud Platform. Issues identified by automated validation must be remediated. You can install private apps without the need for manual validation and you must acknowledge the Splunk General Terms regarding potential impact of unremedied issues to your Splunk Cloud Platform environment. Private apps that are developed wholly by you are owned by you and any customization of your private app is outside the scope of the Splunk Cloud Platform subscription.

For more information about apps, see the following topics in the Splunk Cloud Platform Admin Manual:

Storage

This section describes the data retention policy and the types of storage available to you.

Data retention

When you send data to Splunk Cloud Platform, it is stored in indexes and you can self-manage your Splunk Cloud Platform indexes settings using the Indexes page in Splunk Web. Splunk Cloud Platform retains data based on index settings that enable you to specify when data is to be deleted. To configure different data retention settings for different sources of data, store the data in separate indexes according to the desired retention policy. You can configure different data retention policies for individual indexes according to your auditing and compliance requirements.

Each index lets you specify the maximum age of events in the Index (specified in the Retention (days) field on the Indexes page) that the service uses to determine when to delete data. When the index reaches the specified maximum size or events reach the specified maximum age, the oldest data is deleted. When data is deleted from the index, it is no longer searchable by Splunk Cloud Platform.

The following are the types of storage available in a Splunk Cloud Platform subscription:

  • Dynamic Data Active Searchable (DDAS) is used for searching ingested data. DDAS is also commonly known as searchable storage. You can optionally purchase additional DDAS in 500 GB increments.
  • Dynamic Data Active Archive (DDAA) is used as a long term storage and data in DDAA can be restored to DDAS to be searched. You can optionally purchase additional DDAA in 500 GB increments.

For both DDAS and DDAA, you can choose to have your data encrypted at rest using AES 256-bit encryption for an additional charge. If you choose encryption at rest, Splunk manages the encryption keys on your behalf by default. If available in your region, you have the option to manage the encryption keys instead.

You can review your storage consumption in the Cloud Monitoring Console app included in your Splunk Cloud Platform environment. The app provides information such as the amount of data stored and the number of days of retention for each index.

For more information about the data that Splunk retains and maintains on your behalf, see the Ensures Splunk Cloud Platform uptime and security section in Splunk maintenance responsibilities.

Dynamic Data Active Searchable (DDAS)

DDAS in your Splunk Cloud Platform environment should be sized based on the volume of uncompressed data that you want to index on a daily basis. For workload-based subscriptions, you purchase DDAS based on your data retention requirements that provide you the flexibility to tailor the variability in your use case. For example, if your forecasted daily volume of uncompressed data is 1 TB and your searchable retention needs is 365 days, your Splunk Cloud Platform environment should be sized to have 365 TB of DDAS. On a quarterly basis, Splunk will true-up your DDAS usage storage for any overages. Ingest-based subscriptions include sufficient DDAS to allow you to store up to 90 days of your uncompressed data. For example, if your daily volume of uncompressed data is 100 GB, your Splunk Cloud Platform environment will have 9000 GB (9 TB) of DDAS. Note the following:

  • If you ingested far more data than your initial estimate and thus exceeded your entitled DDAS capacity, the Splunk Cloud Platform service elastically expands the amount of DDAS to retain your data per your retention settings.
  • While DDAS is elastically expanded to ensure your data does not prematurely age out, consistently over ingesting beyond estimated may impact search performance.

Dynamic Data Active Archive (DDAA)

If you require a lower cost option for long term storage of data, you can optionally augment Splunk Cloud Platform with DDAA. As data ages from DDAS based on your index retention setting, the aged data is automatically moved to DDAA before deletion. Data remains in DDAA until the DDAA retention setting that you specify expires.

Your DDAA subscription enables you to perform restores, subject to the amount of DDAS you have purchased as part of your Splunk Cloud Platform subscription. An additional 10% of DDAS is included with your DDAA subscription to assist with restores. The 10% is calculated based on the total DDAS amount in your subscription. For example, a workload-based subscription that has a 10 TB DDAS entitlement will have an additional 1 TB of DDAS added with a DDAA subscription, effectively increasing the DDAS entitlement to 11 TB. Note that this additional 1 TB should be considered as reserved for DDAA restores, as any restore volumes that result in surpassing the DDAS entitlement may incur a true-up cost.

Note the following:

  • Restored DDAA data is typically ready to search within 24 hours after a restoration request and remains searchable for up to 30 days.
  • Large amounts of DDAA data restore can take beyond 24 hours to complete.
  • Multiple restores that overlap within a 30-day period will accrue against the additional 10% of searchable storage included with your DDAA subscription.
  • For workload-based subscriptions, on a quarterly basis, Splunk will true-up your DDAA usage for any overages.

Dynamic Data Self-Storage (DDSS)

You can also export your aged data from Splunk Cloud Platform. If you enable Dynamic Data Self-Storage (DDSS) to export your aged ingested data, the oldest data is moved to your Amazon S3 or Google Cloud Storage account in the same region as your Splunk Cloud Platform deployment before it is deleted from the index.

Note the following:

  • You are responsible for payments for your use of Amazon S3 or Google Cloud Storage.
  • Aged data is exported unencrypted to your Amazon S3 or Google Cloud Storage account.

See also

For more information about See
Exporting your aged ingested data Store expired Splunk Cloud Platform data to your private archive
Archiving your aged ingested data Store expired Splunk Cloud Platform data to a Splunk-managed archive
Managing indexes Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin Manual
Cloud Monitoring Console Monitor your Splunk Cloud Platform Deployment in the Splunk Cloud Platform Admin Manual
Availability of service components between the AWS and Google Cloud regions Region differences

Subscription types

Your subscription to the Splunk Cloud Platform service is workload-based. By exception, you may be on an ingest-based subscription. Both subscription types include either Standard Success Plan or Premium Success Plan. For more information, refer to the Splunk Success Plan.

Workload-based subscription

This subscription is based on the resource capacity consumed rather than the data volume ingested. Your subscription entitles you to the purchased workload resources and this subscription does not meter ingestion. You can increase ingest and/or search load and operate the service to your desired performance objective. As necessary, you can purchase additional resource capacity to increase ingest and search load or to improve performance. You purchase units of storage blocks based on your data retention requirements for your workload-based subscription. If you ingested far more data than your initial estimate and thus exceeded your purchased storage capacity, the Splunk Cloud Platform service elastically expands the amount of storage to retain your data per your retention settings. On a quarterly basis, Splunk will true-up your storage for any overages. The Cloud Monitoring Console and Splunk Web provide you with the total amount of data retained at any given time.

Ingest-based subscription

By exception, you may be on an ingest-based subscription. An ingest-based subscription for Splunk Cloud Platform is based on the volume of uncompressed data that you want to index on a daily basis. The subscription pricing also includes a fixed amount of data storage. If you ingest more data than your entitlement and thus exceed your storage entitlement, the Splunk Cloud Platform service elastically expands the amount of storage to retain your data per your retention settings. On a quarterly basis, Splunk will true-up your storage for any overages. The Cloud Monitoring Console and Splunk Web provide you with the total amount of data retained at any given time.

Data policies

Splunk Cloud Platform administers your data according to the following policies:

  • Your workload-based subscription entitles you to the purchased workload resources and this subscription does not meter ingestion.
  • Your Splunk Cloud Platform ingest-based subscription governs how much data you can load into your Splunk Cloud Platform deployment per day (GMT). You can exceed your ingest-based subscription daily index volume a maximum of five times in a calendar month. If you exceed your daily limit more than five times in a calendar month, your Splunk sales representative may work with you to help you reduce your usage to stay within the purchased limit or to purchase the necessary increase. If you are unable or unwilling to abide by the applicable usage limit, you will pay any invoice for excess usage in accordance with your Terms of Service. If you consistently exceed your ingest-based subscription limit, contact Splunk Sales to do a benchmark assessment to determine your volume needs and purchase an appropriate plan to handle your volume.

To see current and past daily data ingestion information in Splunk Web, use the Cloud Monitoring Console app. For more information, see Locate the Cloud Monitoring Console and Use the License Usage dashboards. Splunk recommends you set up alerts in the system to monitor your license usage.

Subscription expansions, renewals, and terminations

You can expand aspects of your Splunk Cloud Platform subscription anytime during the term of the subscription to meet your business needs. You can optionally add subscriptions to do the following:

  • Increase your workload-based or ingest-based subscription level.
  • Add additional storage capacity in 500 GB increments to store more data.
  • Add encryption services to maintain the privacy of data at rest.
  • Add a HIPAA or PCI DSS cloud environment to assist you with meeting your compliance needs.
  • Add new use cases for Splunk Cloud Platform with Splunk premium solutions such as Enterprise Security (ES) and IT Service Intelligence (ITSI). With workload-based subscriptions, ES entitlement is measured in units of Protected Devices while ITSI entitlement is measured in units of Entity. With ingest-based subscriptions, the unit of measurement is in GB for both entitlements.

You will receive renewal notifications starting 60 days prior to the end date of your current subscription term. For more information on subscription renewals, contact your Splunk sales representative. If your Splunk Cloud Platform subscription expires, it is considered terminated. The policy for terminated Splunk Cloud Platform subscriptions are the following:

  • Your ability to perform searches stops immediately.
  • Your ability to ingest data stops 7 days following termination.
  • Your data is deleted 31 days following termination.

If you require your ingested data to be moved into your control before the termination of your subscription, this is accomplished through a Splunk Professional Services engagement. Some data can be moved into your control by enabling Dynamic Data Self-Storage to export your aged data to your Amazon S3 or Google Cloud Storage account in the same region. Note that Dynamic Data Self-Storage does not export your configuration data. If you choose to use Dynamic Data Self-Storage to export your aged ingested data, you must do so prior to termination of your subscription. You are responsible for AWS or Google Cloud Storage charges you incur for your use of Amazon S3 or Google Cloud Storage.

Supported versions

This section lists the supported versions for Premium Apps, forwarders, hybrid search configurations, and Python interpreters that integrate with the Splunk Cloud Platform.

Current Splunk Cloud Platform and Premium App versions

Splunk determines which versions of Splunk Cloud Platform and Premium Apps to make available to Splunk Cloud Platform subscribers. Splunk adopts the release that has the most benefits for customers as quickly as possible. The table lists the current versions for Splunk Cloud Platform and Premium App subscriptions, as of February 2022.

Subscription Version
Splunk Cloud Platform 8.2
Splunk Enterprise Security 7.0
Splunk IT Service Intelligence 4.11
Splunk App for PCI Compliance 4.6

Splunk Cloud Platform versions have the following release numbering format that is unique and not available for Splunk Enterprise: [Major Release].[Minor Release]. [Release Date]
The [Release Date] is in the format of YYMM. For example, the 2112 of Splunk Cloud Platform 8.2.2112 denotes a release date of December 2021.

Supported forwarder versions

The following are the supported forwarder versions for Splunk Cloud Platform. This information is applicable to universal and heavy forwarders that are communicating directly to Splunk Cloud Platform. If you have deployed an intermediate forwarder tier communicating directly to Splunk Cloud Platform, the following information applies to the forwarders in the intermediate tier instead of the forwarders indirectly connected. If you are unable to upgrade forwarders that communicate directly to Splunk Cloud Platform, you accept the risk of continuing to use forwarder versions that have reached their end of support date.

Forwarder version Supported Splunk Cloud Platform versions Forwarder version supported until
8.2.x 8.0.x, 8.1.x., 8.2.x May 12, 2023
8.1.x 8.0.x, 8.1.x., 8.2.x October 22, 2022
8.0.x 8.0.x, 8.1.x, 8.2.x October 22, 2021
7.3.x 8.0.x, 8.1.x June 4, 2021

Supported hybrid search versions

The table lists the supported on-premises Splunk Enterprise versions for Splunk Cloud Platform hybrid search configurations. This information is applicable to on-premises search heads that are communicating directly to Splunk Cloud Platform environments, also referred to as hybrid search heads. If you are unable to upgrade the hybrid search heads that communicate directly to Splunk Cloud Platform to the supported versions, you accept the risk of continuing to use search heads that have reached their end of support date.

On-premises version Supported Splunk Cloud Platform versions
8.2.x 8.2.2104 to 8.2.2203
8.1.x 8.1.2008 to 8.1.2103
8.0.x 8.0.x

Supported Python versions

The table lists the supported Python interpreters for Splunk Cloud Platform. For more information on Python 2.x deprecation and support on Splunk Cloud Platform, see Python 3 migration with the Splunk platform.

Splunk Cloud Platform version Supported Python interpreters
8.1.x, 8.2.x 2.7.17 (default), 3.7.8
8.0.x 2.7.17 (default), 3.7.4

Technical support

Both workload-based and ingest-based Splunk Cloud Platform subscriptions include either Standard Success Plan or Premium Success Plan. For more information regarding Splunk Cloud Platform support terms and program options, see https://www.splunk.com/en_us/support-and-services/support-programs.html. You should also note the following:

  • Splunk Cloud Platform offers multiple options to ingest your data so it is your responsibility to ensure the correct data collection method is configured for your data sources.
  • Splunk Cloud Platform enables you to perform user, index and app management via Splunk Web. Any customization of Splunk Cloud Platform vetted and compatible apps is also your responsibility.
  • To use multifactor authentication for your Splunk Cloud Platform user accounts, you must use a SAML v2 identity provider that supports multifactor authentication. It is your responsibility to ensure your Splunk Cloud Platform user accounts are properly configured for multifactor authentication.
  • You can choose to leverage the optional Admin on Demand Services to quickly request technical adoption assistance from remote Splunk technical consultant. The Splunk technical consultants can assist you with tasks, such as index creation, building lookups and dashboards, assist with data on-boarding plus install Splunk Cloud Platform vetted and compatible apps.
  • There are features in Splunk Cloud Platform that require assistance from Splunk to activate or change your configuration, such as real-time search and enabling AWS Kinesis Data Firehose data to be received. When you file a support ticket, Splunk will enable such features on your behalf.

See also

For more information about See
Admin on Demand Services Admin On Demand data sheet and catalog
Data collection Getting Data In
Performing user, index, and app management Splunk Cloud Platform Admin Manual

Users and authentication

Splunk Cloud Platform enables you to configure account policies that require unique usernames, minimum password length, and regular password resets. You are responsible for creating and administering your users' accounts, the roles assigned to them, the authentication method they use, and global password policies. To control what your Splunk Cloud Platform users can do, you assign them roles that have a defined set of specific capabilities, access to indexes, and resource use limits.

Roles give Splunk Cloud Platform users access to features in the service, and permission to perform tasks and searches. Each user account is assigned one or more roles. Splunk uses the Admin role and system user roles to perform essential monitoring and maintenance activities. You may observe the Admin and system user roles authenticating against your Splunk Cloud Platform environment as part of Splunk performing monitoring and maintenance activities. These activities are performed in accordance with a comprehensive security program designed to protect your data's confidentiality, integrity, and availability in accordance with the highest industry standards. Splunk Cloud Platform has been certified by independent third-party auditors to meet SOC2 Type II and ISO 27001 security standards Compliance and certifications. You should not delete or modify these system users or roles.

Splunk Cloud Platform provides the sc_admin role, which has the capabilities required to administer Splunk Cloud Platform. You can use the Splunk Cloud Platform sc_admin role for your administrator to perform self-service tasks such as installing apps, creating and managing indexes, and managing users and their passwords. Splunk Cloud Platform does not support direct access to infrastructure, so you do not have command-line access to Splunk Cloud Platform. This means that any supported task that requires command-line access is performed by Splunk on your behalf.

You can configure your user accounts to be authenticated using Identity Providers (IdP) such as Lightweight Directory Access Protocol (LDAP) and Active Directory (AD). You can also configure Splunk Cloud Platform to use SAML authentication for single sign-on (SSO). To use multifactor authentication for your Splunk Cloud Platform user accounts, you must use a SAML v2 identity provider that supports multifactor authentication. Depending on the Splunk Cloud Platform version and your identity provider (IdP), token based authentication is supported. While Splunk Enterprise has built-in support for multifactor authentication such as Duo and RSA, Splunk Cloud Platform does not support these methods of integration.

Only SHA-256 signatures in the SAML message between your IdP and Splunk Cloud Platform are supported. You are responsible for the SAML configuration of your IdP including the use of SHA-256 signatures.

See also

For more information about See
Users and roles Manage Splunk Cloud Platform users and roles in the Splunk Cloud Platform Admin Manual
Single Sign On Configure Splunk Cloud Platform to use SAML for authentication tokens in the Splunk Cloud Platform Security Manual

Configure single sign-on with SAML in the Splunk Cloud Platform Security Manual

Token based authentication Set up authentication with tokens in the Splunk Cloud Platform Security Manual
Last modified on 24 July, 2024
  Splunk Cloud Service Description Change Log

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2201


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters