Splunk Cloud

Splunk Cloud Service Description

Download manual as PDF

Download topic as PDF

Splunk Cloud Service Details

Splunk Cloud delivers the benefits of award-winning Splunk® Enterprise as a cloud-based service. Using Splunk Cloud, you gain the functionality of the Splunk Enterprise platform for collecting, searching, monitoring, reporting, and analyzing all of your real-time and historical machine data using a cloud service that is centrally and uniformly delivered by Splunk to its large number of cloud customers, from Fortune 100 companies to small and medium-size businesses. Splunk manages and updates the Splunk Cloud service uniformly, so all customers of Splunk Cloud receive the most current features and functionality.

Subscription pricing for Splunk Cloud is based on the volume of uncompressed data that you want to index on a daily basis. The subscription pricing also includes access to Splunk support and a fixed amount of data storage. You can optionally add subscriptions for additional storage capacity to store more data, encryption service to maintain privacy of data at rest, HIPPA or PCI cloud environment to assist you with meeting your compliance needs, and add new use cases for Splunk Cloud with Splunk premium solutions such Enterprise Security and IT Service Intelligence.

Splunk Cloud is available in the following global regions:

  • US (California, Oregon, Virginia and GovCloud)
  • EU (Dublin, Frankfurt, London)
  • Asia Pacific (Singapore, Sydney, Tokyo)
  • Canada (Central)

For commonly asked questions about Splunk Cloud, see the FAQ for Splunk Cloud.

For more information about the terms of service, see the Splunk Cloud Terms of Service.

Data collection

Splunk Cloud provides software and APIs that enable you to ingest data from your applications, cloud services, servers, network devices, and sensors into the service. You can send data to Splunk Cloud as follows:

Using Splunk forwarders: There are two types of forwarder software: universal forwarder and heavy forwarder. In most situations, the universal forwarder is the best forwarder for Splunk Cloud since it includes the essential components that it needs to forward data, uses significantly fewer hardware resources and is inherently scalable. For certain use cases when data needs to be parsed prior to forwarding or data needs to be forwarded based on criteria such as source or type of event, a heavy forwarder is required. Setup, enablement, transformation, and sending data from forwarders to your Splunk Cloud environment is your responsibility. This means you are responsible for installing, configuring, and managing your forwarders. Splunk does not support the use of inputs.conf on the search tier of managed Splunk Cloud instances. You are responsible for installing the data collection components of any app you wish to use in Splunk Cloud on a Splunk forwarder. For more information, see How do you want to add data? in the Getting Data In manual.

Using HTTP Event Collector (HEC): HEC lets you send data and application events using a token-based authentication mode to Splunk Cloud over the Secure HTTP (HTTPS) protocol. You can generate a token and then configure a logging library or HTTPS client with the token to send data to HEC in a specific format. HEC is enabled by default for your Splunk Cloud environment with a 512K size limit on the maximum content length. You are responsible for setup, enablement, transformation, and sending data to your Splunk Cloud environment via HEC. You are also responsible for monitoring and remediation of any HEC error codes that are received from Splunk Cloud to ensure no interruption of your data ingestion. For more information, see About the Splunk HTTP Event Collector in the Getting Data In manual.

Using AWS Kinesis Data Firehose: AWS Kinesis Data Firehose is a fully managed, scalable, and serverless option for streaming data from various AWS services directly into Splunk Cloud. Setup, enablement, transformation, and sending data to your Splunk Cloud environment is your responsibility. If you choose to use the Kinesis Data Firehose service for data ingestion, you are responsible for enabling and configuring AWS Kinesis Data Firehose, and for paying AWS for this service. For more information, see Install and configure the Splunk Add-on for Amazon Kinesis Firehose on a managed Splunk Cloud deployment in the Splunk Add-on for Amazon Kinesis Firehose manual.

Additional information about data collection

Data compression: Forwarders and HTTP Event Collectors compress data when sending over TLS protocol. The amount of compression varies based on the content, generally at a ratio between 1:8 and 1:12.

Encryption in transit: For security, data in transit is TLS 1.2+ encrypted. Senders and receivers authorize each other, and HTTP-based data collection is secured using token-based authentication.

IP Whitelisting: You can request to restrict data collection from only whitelisted IP addresses by filing a support ticket.

Ingestion

The amount of data that you can collect daily is determined by the Splunk Cloud subscription that you purchase, and you can always choose a higher-level subscription to increase the amount of data that you can collect. You can see current and past daily data ingestion information using the Cloud Monitoring Console (CMC) app that is included with your Splunk Cloud environment. If you consistently exceed your subscription entitlement, contact Splunk Sales to purchase an appropriate plan to handle your volume.

During ingestion, Splunk Cloud indexes incoming data so you can search it. During indexing, data is partitioned into logical indexes, which you can configure to facilitate searching and control users' access to data. Splunk Cloud allows you to self-service manage your indexes across multiple tasks such as the following:

  • Creating, updating, deleting, and viewing properties of indexes
  • Modifying the retention settings for individual indexes
  • Deleting data from indexes
  • Optimizing search performance by managing the number of indexes and the data sources that are stored in specific indexes

For details about limits on data collection, see Splunk Cloud data policies in the Splunk Cloud User Manual.

For best practices for creating indexes, see Manage Splunk Cloud indexes in the Splunk Cloud User Manual.

For service limits relating to indexes, see Splunk Cloud service limits and constraints.

Storage

Storage space in your Splunk Cloud service is based on the volume of uncompressed data that you want to index on a daily basis. Your Splunk Cloud environment comes with sufficient storage to allow you to store up to 90 days of your uncompressed data. For example, if your daily volume of uncompressed data is 100 GB, your Splunk Cloud environment will have 9000 GB (9 TB) of storage. You can optionally purchase additional storage for your Splunk Cloud environment in 500 GB increments. In addition, you can choose to have your data encrypted at rest using AES 256-bit encryption for an additional charge. If you choose encryption at rest, Splunk manages the keys on your behalf.

When you send data to Splunk Cloud, it is stored in indexes and you can self-manage your Splunk Cloud indexes settings using the Indexes page in Splunk Web. Splunk Cloud retains data based on index settings that enable you to specify when data is to be deleted. To configure different data retention settings for different sources of data, store the data in separate indexes according to the desired retention policy. You can configure different data retention policies for individual indexes according to your auditing and compliance requirements.

Each index uses two settings to determine when to delete data:

  1. The maximum size of the index (specified in the Max data size (GB) field on the Indexes page)
  2. The maximum age of events in the index (specified in the Retention (days) field on the Indexes page)

When the index reaches the specified maximum size or events reach the specified maximum age, the oldest data is deleted. When data is deleted from the index, it is no longer searchable by Splunk Cloud.

You can review your storage consumption in the Cloud Monitoring Console app included in your Splunk Cloud environment. The app provides information such as the amount of data stored and the number of days of retention for each index.

For more information about managing indexes, see Manage Splunk Cloud indexes in the Splunk Cloud User Manual.

For more information about the Cloud Monitoring Console, see Monitor Splunk Cloud deployment health in the Splunk Cloud User Manual.

Search

Splunk Cloud allows you to search and navigate all of the machine data that you ingest into the service. Searches can be done using the Splunk Search Processing Language (SPL), or using alternative ways to display and analyze data graphically without composing SPL queries. Searches can be ad-hoc and scheduled, with results in the the form of visualizations, reports, and alerts.

To examine data in Splunk Cloud and your on-premises deployment of Splunk Enterprise in a single search, you can configure a Splunk Enterprise search head to connect to a Splunk Cloud indexer cluster. This configuration is called hybrid search. The following conditions and limitations apply to hybrid search:

Category Supported Limitation
Hybrid Search Topology You can initiate searches from an on-premises Splunk Enterprise search head to a Splunk Cloud deployment. You cannot initiate searches from a Splunk Cloud search head to an on-premises Splunk Enterprise deployment.

You cannot initiate searches from a Splunk Cloud search head to another Splunk Cloud environment.

Splunk Version Compatibility The version of the on-premises Splunk Enterprise search head must be equal to or higher than the version of Splunk Cloud.
Search Types Ad-hoc search is supported. Scheduled search is not supported.
Premium Solution Hybrid search is not available for use with Enterprise Security.

Hybrid search is not available for use with IT Service Intelligence.

For more information about hybrid search, see Configure hybrid search in the Splunk Cloud User Manual.

In Splunk Cloud, you open a support ticket to enable real-time search. Note that real-time searches are resource-intensive and can impact the overall health and performance of your searches.

You can review the health and performance of your search using the Cloud Monitoring Console (CMC) app that is included in your Splunk Cloud environment. CMC shows information such as long running searches, skipped scheduled searches, and average search run time.

Splunk Cloud has service limits related to search, such as the maximum number of concurrent searches. This service limit and others are listed in the Splunk Cloud service limits and constraints section.

Apps and Premium Solutions

You can use Splunk apps to extend the functionality of your Splunk Cloud deployment. To ensure security and minimize effects on performance, only vetted and compatible apps can run on Splunk Cloud.

You can optionally purchase Splunk Apps and Premium Solutions (Premium App) subscriptions on Splunk Cloud. As part of the subscription, the Splunk Cloud environment is enhanced to support the Premium App. Splunk will install the Premium App on your behalf and will also upgrade the Premium App when a new version is vetted for Splunk Cloud. Multiple Premium App subscriptions can run concurrently on the same Splunk Cloud environment. Any customization of the Premium App can be done by you or through a Splunk Professional Services engagement. Splunk support will not be able to assist in tailoring the Premium App to your use case. The following Premium App subscriptions are available for Splunk Cloud:

  • Splunk Enterprise Security (ES)
  • Splunk IT Service Intelligence (ITSI)
  • Splunk App for Microsoft Exchange
  • Splunk App for PCI Compliance
  • Splunk App for VMware

The following Premium Apps are compatible with Splunk Cloud but no subscription is available on Splunk Cloud. Installation and configuration of these Premium Apps can be done by you or through a Splunk Professional Services engagement. Splunk support will not be able to assist with installation and configuration of the following Premium Apps. For more information on these Splunk Premium Apps, contact your Splunk sales representative.

  • Phantom
  • User Behavior Analytics

The following Splunk products are not available as subscriptions on Splunk Cloud. For more information on these Splunk products, contact your Splunk sales representative.

  • Splunk Insights for AWS Cloud
  • Splunk Insights for Infrastructure
  • Splunk Insights for Ransomware

Other apps that are Splunk Cloud vetted and compatible are listed in either the App browser in Splunk Web or through Splunkbase. Depending on the nature of the Splunkbase apps, you may be able to self-install because they have been marked so, or you may need to open a support ticket to install. Any customization of the Splunkbase apps can be done by you or through a Splunk Professional Services engagement. Splunk support will not be able to assist in tailoring the Splunkbase apps to your use case. Compatibility of third-party apps is asserted by the developers of those apps. Splunk does not perform compatibility testing of third-party apps with specific versions of Splunk Cloud.

Your private apps can also be self-service installed. During the private app installation, Splunk will automatically validate if your private app is compatible with Splunk Cloud and allow compatible apps to be self-installed. If the app is deemed incompatible with Splunk Cloud, you will receive an app vetting report that details areas in your app to remediate to make it compatible with Splunk Cloud and enable it to be self-service installable. Any customization of your private app is outside the scope of the Splunk Cloud subscription.

For more information about Apps and Premium Solutions, see the following topics in the Splunk Cloud User Manual:

Network connectivity and data transfer

You access your Splunk Cloud environment via public endpoints. By default, for both Splunk Web access and sending your data, traffic from your network is encrypted, sent over the public Internet and then routed to your Splunk Cloud environment in an AWS Virtual Private Cloud (VPC). These endpoints are protected using Security Groups and customers can also specify additional access control rules. See the Splunk Cloud service limits and constraints section for the maximum number of customer defined rules.

You can request to restrict data access from only whitelisted IP addresses by filing a support ticket. For any regulated Splunk Cloud environments such as HIPAA and PCI, you must specify at least one address for the IP whitelist.

In addition, forwarders and HTTP Event Collectors compress data when sending over TLS protocol. The amount of compression varies based on the content. For bandwidth planning, assume a compression ratio between 1:8 and 1:12.

If you are using AWS services such as Direct Connect and Kinesis Data Firehose, note the following:

  • If you choose to use private connectivity services such as AWS Direct Connect, you are responsible for setup and configuration of AWS Direct Connect plus any associated fees. With AWS Direct Connect you must use a public virtual interface to connect to Splunk Cloud. After a public virtual interface has been provisioned, you must contact Splunk to enable your Splunk Cloud environment to receive your traffic via AWS Direct Connect.
  • If you choose to use the Kinesis Data Firehose service for data ingestion, you are responsible for any setup and configuration of AWS Kinesis Data Firehose plus any associated fees. For more information see Install and configure the Splunk Add-on for Amazon Kinesis Firehose on a managed Splunk Cloud deployment in the Splunk Add-on for Amazon Kinesis Firehose manual.
  • AWS Direct Connect or Kinesis Data Firehose may not be available in all Splunk Cloud regions.

Users and authentication

Splunk Cloud enables you to configure account policies. You are responsible for creating and administering your users' accounts, the roles assigned to them, the authentication method they use, and global password policies. To control what your Splunk Cloud users can do, you assign them roles that have a defined set of specific capabilities, access to indexes, and resource use limits.

Roles give Splunk Cloud users access to features in the service, and permission to perform tasks and searches. Each user account is assigned one or more roles. In addition, your Splunk Cloud environment comes with predefined system roles and system users that are used by Splunk to perform essential monitoring and maintenance activities. You should not delete or modify these system users or roles. For the customer's administrator users, Splunk Cloud provides the sc_admin role, which has the capabilities required to administer Splunk Cloud. You can use the Splunk Cloud sc_admin role for your administrator to perform self-service tasks such as installing apps, creating and managing indexes, and managing users and their passwords. Splunk Cloud does not support direct access to infrastructure, so you do not have command-line access to Splunk Cloud. This means that any supported task that requires command-line access is performed by Splunk on your behalf.

You can configure your user accounts to be authenticated using Lightweight Directory Access Protocol (LDAP) and Active Directory (AD). You can also configure Splunk Cloud to use SAML authentication for single sign-on (SSO). In order to use multifactor authentication for your Splunk Cloud user accounts, you must use a SAML v2 identity provider that supports multifactor authentication. While Splunk Enterprise has built-in support for multifactor authentication such as Duo, Splunk Cloud does not support this method of integration.

For more information on User and Roles, see Manage Splunk Cloud users and roles in the Splunk Cloud User Manual.

For more information on Single Sign On, see Configure SAML single sign-on (SSO) to Splunk Cloud in the Splunk Cloud User Manual.

Differences between Splunk Cloud and Splunk Enterprise

Splunk Cloud delivers the benefits of Splunk Enterprise as a cloud-based service. Customers who are familiar with Splunk Enterprise architecture should not make assumptions about the architecture or operational aspects of Splunk software deployed in the Splunk Cloud service. Specifically, Splunk Cloud differs from Splunk Enterprise in the following ways:

Area Difference
Apps To ensure security and minimize effects on performance, only vetted and compatible apps can run on Splunk Cloud.

The app browser in Splunk Web or Splunkbase lists vetted and compatible Splunk Cloud apps. You can install some apps directly through the app browser (self-service installation). Other apps must be installed by Splunk support, and require you to open a support ticket.

Your private apps can also be self-service installed. During the private app installation, Splunk automatically validates if your private app is compatible with Splunk Cloud and allows compatible apps to be self-service installed. If the app is deemed incompatible with Splunk Cloud, you receive an app vetting report that details areas in your app to remediate to make it compatible with Splunk Cloud and enable it to be self-service installable.

Cloud Monitoring Console (CMC) The Cloud Monitoring Console (CMC) app is included in your Splunk Cloud environment. CMC replaces the Monitoring Console that is used in Splunk Enterprise. You use CMC to holistically monitor the data consumption and health of your Splunk Cloud environment.
Command-line interface (CLI) access Splunk Cloud does not allow direct access to infrastructure by customers. As a result, you do not have command line access to Splunk Cloud. Any supported task that requires command line access is performed by the self-service capabilities of Splunk or by filing a service ticket.
Direct TCP, UDP, file, and syslog inputs Splunk Cloud does not accept these types of data directly. In order for Splunk Cloud to receive data sources such as TCP, UDP, file, and syslog, you must use Splunk forwarder software as an agent to send data to Splunk Cloud. This ensures reliable, managed, fault-tolerant delivery of your data into Splunk Cloud.
License pooling Splunk Cloud does not support licensing pooling.
Multifactor authentication While Splunk Enterprise has built-in support for multifactor authentication such as Duo, Splunk Cloud does not support this method of authentication. In order to use multifactor authentication for your Splunk Cloud user accounts, you must configure a SAML v2 identity provider that supports multifactor authentication.
Native alerts Splunk Cloud does not provide system-level access. As a result, you cannot define alerts that run operating-system scripts or use other system services (although vetted and compatible apps can do so). Alerts can be sent by email or HTTPS POST using Splunk software webhooks. You might be required to set up an endpoint inside your network. If you have both Splunk Enterprise and Splunk Cloud, you can run an on-premises search head to support searches that require alert actions.
No inputs on the search tier Splunk does not support the use of inputs.conf on the search tier of Splunk Cloud. Splunk Cloud uses the Packaging Toolkit to partition apps into appropriate packages for the search tier, indexer tier, and forwarder tier. You are responsible for installing the data collection components of any app you want to use in Splunk Cloud on a Splunk Forwarder under your control. If you require direct input on the search tier and you cannot deploy forwarders, you can request that Splunk Cloud deploy data ingestion processes on the Splunk Cloud search tier, but this approach is not subject to Splunk Cloud SLAs.
Real-time search In Splunk Cloud, you open a support ticket to enable real-time search. Note that real-time searches are resource intensive and can impact the overall health and performance of your searches.
REST API In Splunk Cloud, you open a support ticket to enable REST API access.
Search performance Splunk Cloud leverages a multi-tier storage architecture and manages the movement of data to optimize performance based on user search patterns. Generally, recently processed data (recently ingested, searched, analyzed for machine learning, and so on) will have better performance than data that has not been processed for some time. This behavior applies to all data, including metrics data.
sc_admin role For the customer's administrator users, Splunk Cloud provides the sc_admin role, which has sufficient capabilities to administer Splunk Cloud. You can use the Splunk Cloud sc_admin role for your administrator to perform self-service tasks such as installing apps, creating and managing indexes, and managing users and their passwords.
System user roles Your Splunk Cloud environment comes with predefined system roles and system users that are used by Splunk to perform essential monitoring and maintenance activities. You should not delete or modify these system users or roles.

Service level

Splunk provides an uptime SLA for Splunk Cloud and will use commercially reasonable efforts to make the Services available. You will receive service credits in the event of SLA failures, as set forth in our current SLA schedule. As Splunk Cloud is offered uniformly across all customers, the SLA cannot be modified on a customer by customer basis.

Splunk Cloud is considered available if you are able to log into your Splunk Cloud Service account and initiate a search using Splunk Software. Splunk continuously monitors the status of each Splunk Cloud environment to ensure the SLA. In addition, Splunk Cloud monitors several additional health and performance variables, including but not limited to the following:

  • Ability to log into Splunk Cloud (non-SAML)
  • Ability to access Splunk Web
  • Ability to access a Splunk REST API endpoint
  • Ability to perform searches against an internal Splunk index
  • Ability to ingest data cluster wide
  • Presence of unsupported configurations

Splunk adds predefined system users and system roles to all Splunk Cloud environments. Splunk leverages system users or roles to perform essential monitoring and maintenance activities in managed Splunk Cloud environments. Customers are advised to not delete or edit system users or roles because they are essential to perform monitoring and maintenance activities in managed Splunk Cloud environments.

Splunk does not support the use of inputs.conf on the search tier of managed Splunk Cloud instances. If direct input on the search tier is required and you are unable to deploy forwarders, you can request that Splunk Cloud deploy data ingestion processes on the Splunk Cloud search tier, but this approach is not subject to Splunk Cloud SLAs.

For more information about Splunk Cloud system users, see Manage Splunk Cloud users and roles in the Splunk Cloud User Manual.

For more information about the SLA for Splunk Cloud, see the Splunk Cloud Service Level Schedule.

Maintenance

Splunk Cloud delivers the benefits of award-winning Splunk® Enterprise as a cloud-based service. Splunk manages and updates the Splunk Cloud service uniformly, so all customers of Splunk Cloud receive the most current features and functionality.

What Splunk does on your behalf:

  • Gets you started: When you first subscribe to Splunk Cloud, Splunk sends you a welcome email containing the information required for you to access your Splunk Cloud deployment and get started. This email contains a lot of important details, so keep it handy.
  • Assists you with supported tasks: Splunk Cloud enables you to customize user, index and app management via Splunk Web. However, there are features in Splunk Cloud that require assistance from Splunk to activate or make changes to your configurations, such as real-time search and enabling AWS Kinesis Data Firehose data to be received. When you file a support ticket, Splunk will enable such features on your behalf.
  • Upgrades and expands your Splunk Cloud: Splunk Cloud adopts the release that has the most benefits for you as quickly as possible. As Splunk releases new versions of Splunk Cloud and Premium Apps, you will be notified by Splunk to schedule the maintenance window. In addition, we will enhance Splunk Cloud on your behalf, such as increasing the amount of your daily ingestion, adding storage, enabling Premium App subscriptions and Encryption at Rest.
  • Ensures Splunk Cloud uptime and security: Splunk continuously monitors the status of your Splunk Cloud environment to ensure uptime and availability. We look at various health and performance variables such as the ability to log in, ingest data, access Splunk Web and perform searches. In addition, Splunk Cloud also keeps backups of your ingested data and configurations to ensure data durability. Splunk also employs system user roles with limited privileges to perform tasks on your cloud. If encryption at rest is enabled, we manage your encryption keys.

What you can self-service:

  • Customize your Splunk Cloud: Splunk Cloud offers multiple options to ingest your data, so it is your responsibility to ensure the correct data collection method is used for your data sources. For detailed instructions for sending data to your Splunk Cloud deployment, refer to the Getting Data In manual. In addition, Splunk provides a variety of self-service tools to allow you to customize your Splunk Cloud environment, such as user, index and app management. For more information, refer to the Splunk Cloud User Manual.
  • Monitor your Splunk Cloud health and usage: You can use the Cloud Monitoring Console (CMC) to holistically monitor the data consumption and health of your Splunk Cloud environment. Your license limits the amount of data per day that you can send to your Splunk Cloud deployment. CMC is designed to help you manage your usage of the service, while all other monitoring is done by Splunk.

Technical support

Splunk Standard Support is included in every Splunk Cloud subscription. For more information regarding Splunk Cloud support terms and program options, refer to: https://www.splunk.com/en_us/support-and-services/support-programs.html. You should also note the following:

  • Splunk Cloud offers multiple options to ingest your data so it is your responsibility to ensure the correct data collection method is configured for your data sources.
  • Splunk Cloud enables you to perform user, index and app management via Splunk Web. Any customization of Splunk Cloud vetted and compatible apps is also your responsibility.
  • In order to use multifactor authentication for your Splunk Cloud user accounts, you must use a SAML v2 identity provider that supports multifactor authentication. It is your responsibility to ensure your Splunk Cloud user accounts are properly configured for multifactor authentication.
  • You can choose to leverage the optional Admin on Demand Services to quickly request technical adoption assistance from remote Splunk technical consultant. The Splunk technical consultants can assist you with tasks, such as index creation, building lookups and dashboards, assist with data on-boarding plus install Splunk Cloud vetted and compatible apps.
  • There are features in Splunk Cloud that require assistance from Splunk to activate or change your configuration, such as real-time search and enabling AWS Kinesis Data Firehose data to be received. When you file a support ticket, Splunk will enable such features on your behalf.

For more information regarding Admin on Demand Services, refer to the Admin On Demand data sheet and catalog.

For more information regarding data collection, refer to Getting Data In.

For more information regarding performing user, index and app management, refer to the Splunk Cloud User Manual.

Security

The security and privacy of your data is of the utmost importance to you and your organization, and Splunk makes this a top priority. Splunk Cloud service is designed and delivered using key security controls such as:

Instance Security: Every Splunk Cloud deployment runs in a secured environment on a stable operating system and in a network that is hardened to industry standards using a default-deny firewall policy, which permits access only to specific IP addresses and services. Your deployment is regularly scanned for host- and application-level threats.

Isolation of Data and Service: In the cloud, your data is logically isolated from other customers’ data, so your performance and data integrity cannot be affected by other customers who are using the Splunk Cloud service.

Data Encryption: All data in transit to and from Splunk Cloud is TLS 1.2+ encrypted. To encrypt data at rest, you can purchase AES 256-bit encryption for an additional charge. Keys are rotated regularly and monitored continuously.

User Authentication and Access: You can configure authentication using Lightweight Directory Access Protocol (LDAP), Active Directory (AD), and single sign-on using any SAML v2 identity provider. To control what your Splunk Cloud users can do, you assign them roles that have a defined set of specific capabilities. Splunk Cloud enables you to configure account policies that require unique user names, minimum password length, and regular password resets with supported SAML v2 identify providers and LDAP. To enable multifactor authentication, customers must configure a SAML v2 identity provider that supports multifactor authentication.

Data Handling: You can store your data in one of the following Amazon Web Services (AWS) regions:

  • US (Virginia, California, Oregon, GovCloud)
  • EU (Dublin, Frankfurt, London)
  • Asia Pacific (Singapore, Sydney, Tokyo)
  • Canada (Central)

Data is kept in the region you choose. If you need to store your data in more than one region, you can purchase multiple subscriptions. Data is retained in Splunk Cloud according to the volumes, durations, and index configurations you set. Expired data is deleted based on your pre-determined schedule.

For the purposes of disaster recovery, your configuration and recently-ingested data is backed up on a rolling seven-day window. If you unsubscribe, you can take your data with you to an alternative storage container, such as AWS S3 bucket, prior to deletion. Depending on the amount of data and the work involved, we may charge for this service. For more information on Splunk Cloud data management, please review the documentation at Splunk Cloud data policies and Manage Splunk Cloud indexes in the Splunk Cloud User Manual.

Security Controls and Background Screening: Splunk security controls are described in our most recent Service Organization Control II, Type II Report (SOC 2/Type 2 Report). Splunk conducts criminal background checks on its employees prior to hire, as permitted by law.

App Security: All Splunk apps hosted on Splunk Cloud by Splunk are examined by Splunk engineers to ensure that they comply with the Splunk Cloud app requirements and best practices. The Splunk App Certification Program provides a set of best practices for app developers. For details about how to submit an app for evaluation for Splunk Cloud readiness, see the Splunk Developer web page.

Subscription expansions, renewals and terminations

You can expand aspects of your Splunk Cloud subscription anytime during the term of the subscription to meet your business needs. You can:

  • increase the amount of your daily ingestion
  • increase the amount of storage in 500GB increments
  • add Premium App subscriptions
  • add Encryption at Rest capabilities

You will receive renewal notifications starting 60 days prior to the end date of your current subscription term. For more information on subscription renewals, contact your Splunk sales representative. If your Splunk Cloud subscription expires, it is considered terminated. The policy for terminated Splunk Cloud subscriptions are the following:

  • your ability to perform searches stops immediately
  • your ability to ingest data stops 7 days following termination
  • your data is deleted 31 days following termination

If you require your ingested data to be moved into your control before the termination of your subscription, this is accomplished through a Splunk Professional Services engagement.

Compliance and Certifications

Splunk has attained a number of compliance attestations and certifications from industry-leading auditors as part of our commitment to adhere to industry standards worldwide. Splunk has attained a number of compliance attestations/certifications to provide customers with independent third-party validation of our efforts to safeguard customer data. Splunk has contracted with industry-leading auditors as part of our commitment to adhere to industry standards worldwide. The following compliance attestations/certifications are available:

  • SOC 2 Type II: Splunk Cloud has an annual SOC 2 Type 2 audit report issued. The SOC 2 audit assesses an organization's security, availability, process integrity, and confidentiality processes to provide assurance about the systems that a company uses to protect customers' data. If you require the SOC 2 Type 2 attestation to review, contact your Splunk sales representative to request it.
  • SOC 3: Splunk Cloud has an annual SOC 3 report issued. The SOC 3 report outlines Splunk Cloud’s Trust Services Principles information related to the security, availability and confidentiality. You can view the report here.
  • ISO 27001: Splunk Cloud is ISO/IEC 27001:2013-certified. ISO/IEC 27001:2013 is a standard for an information security management system, specifying the policies and procedures for all legal, physical, and technical controls used by an organization to minimize risk to information. You can view the certificate of verification here.

If your data must be maintained in a regulated cloud environment to assist you with meeting your compliance needs, Splunk Cloud provides these optional subscriptions.

  • Health Insurance Portability and Accountability Act (HIPAA): Splunk Cloud (HIPAA) is compliant with the HIPAA Security Rule and HITECH Breach Notification Requirements. These regulations establish a standard for the security of any entity that access, processes, transmits, or stores electronic protected health information (ePHI).
  • Payment Card Industry Data Security Standard (PCI DSS): Splunk Cloud (PCI DSS) is PCI DSS v3.2 compliant as a Level 1 service provider. This standard applies to any entity that processes, transmits, or stores payment card data as well as their critical service providers.

More information for regulated cloud environments are listed below.

Subscription Type Region Availability Encryption At Rest IP Whitelist Certification Documents
HIPAA All Splunk Cloud regions. Enabled by default. Splunk manages the encryption keys on your behalf and they are regularly rotated. Customer must provide IP whitelisting rules. If you require the HIPAA compliance report to review, contact your Splunk sales representative to request a copy.
PCI DSS All Splunk Cloud regions. Enabled by default. Splunk manages the encryption keys on your behalf and they are regularly rotated. Customer must provide IP whitelisting rules. If you require the PCI attestation of compliance to review, contact your Splunk sales representative to request a copy.

Splunk Cloud service limits and constraints

The following are Splunk Cloud service limits and constraints. You can use this list as guidance to ensure the best Splunk Cloud experience. Keep in mind that some limits depend on configuration, system load, performance, and available resources. Contact Splunk if your requirements are different or exceed what is recommended in this table.

Category Service component Limitation Additional information
Data Collection HEC maximum content length size limit 512K HEC is configured by default for this content length size.
Ingestion Active indexes per Splunk Cloud environment 400 The best practice is to maintain no more than the upper limit of active indexes for each Splunk Cloud environment.
Search Search concurrency per Splunk Cloud environment 20 This limit applies to customers with Splunk Cloud and a daily ingestion rate entitlement of less than 50 GB. There is a limit to the number of searches that each Splunk Cloud environment can concurrently process. If the limit is reached, searches are queued, which can result in delays to producing search results.
Search Search concurrency per Splunk Cloud environment 38 This starting point applies to customers with Splunk Cloud and a daily ingestion rate entitlement of between 50 GB and 1 TB. This starting point scales up at higher ingestion rates. There is a limit to the number of searches that each Splunk Cloud environment can concurrently process. If the limit is reached, searches are queued, which can result in delays to producing search results.
Search Search concurrency per Splunk Cloud or Splunk Cloud and ITSI environment 100 This starting point applies to customers with either Splunk Cloud or Splunk Cloud and ITSI and a daily ingestion rate entitlement of more than 1 TB. This starting point scales up at higher ingest rates. There is a limit to the number of searches that each Splunk Cloud environment can concurrently process. If the limit is reached, searches are queued, which can result in delays to producing search results.
Search Search concurrency per Premium Solution 38 When you add the following Premium Apps subscriptions to Splunk Cloud, additional search processes are available for each Premium App. This starting point scales up at higher ingestion rates. These search processes are additive to the Search concurrency per Splunk Cloud environment.
  • Splunk Enterprise Security
  • Splunk IT Service Intelligence
  • Splunk App for Microsoft Exchange
  • Splunk App for PCI Compliance
  • Splunk App for VMware
Search Join command for subsearch 50,000 The join command combines the results of a subsearch with the results of a main search. This limit is the maximum number of result rows in the output of a subsearch that can be joined against a main search. Refer to Splunk Cloud documentation of the join command for more information.
Security Whitelist IP address rules per Splunk Cloud environment 100 Customers specify the IP address or IP address range that is permitted to access Splunk Cloud, and those from which Splunk Cloud can collect data. These are generically referred to as whitelist IP address rules. There is a limit to the total number of whitelist IP address rules per Splunk Cloud environment.

Current release

Splunk determines which versions of Splunk Cloud and Premium Apps to make available to Splunk Cloud subscribers. Splunk adopts the release that has the most benefits for customers as quickly as possible. The following are current versions for Splunk Cloud and Premium App subscriptions, as of June 2018.

Subscription Version
Splunk Cloud 7.0
Splunk Enterprise Security 5.0
Splunk IT Service Intelligence 3.1
Splunk App for Microsoft Exchange 3.4
Splunk App for PCI Compliance 3.6
Splunk App for VMware 3.4

More information

The following links provide information about the terms and policies that pertain to the Splunk Cloud service:

 

This documentation applies to the following versions of Splunk Cloud: 7.0.0, 7.0.2, 7.0.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters