Is my data local or remote?
If you have Splunk Cloud or run Splunk Enterprise in the cloud, all indexed data is remote. If you have an on-premises Splunk Enterprise deployment, the answer to this question depends on a number of things, which include:
- The operating system on which your Splunk Enterprise instance resides.
- Where the data is physically.
- The types of data storage that are connected to the Splunk Enterprise instance.
- Whether or not you need to perform any authentication or other intermediate to access the data store that contains the data you want to index.
A local resource is a fixed resource that your Splunk Enterprise instance has direct access to. You are able to access a local resource, and whatever it contains, without having to attach, connect, or perform any other intermediate action (such as authentication or mapping a network drive). If your data is on such a resource, the data is considered local.
Some examples of local data include:
- Data on a hard disk or solid state drive installed in a desktop, laptop, or server host.
- Data on a resource that has been permanently mounted over a high-bandwidth physical connection that the host can access at boot time.
- Data on a RAM disk.
A remote resource is any resource that does not meet the definition of a "local" resource. Data that exists on such a resource is remote data. Some examples of remote resources are:
- Network drives on Windows hosts.
- Active Directory schemas.
- NFS or other network-based mounts on *nix hosts.
- Most cloud-based resources.
Some cases where resources might be considered remote are actually not remote. Here are some examples.
- A host has a volume that has been permanently mounted over a high-bandwidth physical connection such as USB or FireWire. Because the computer can mount the resource at boot time, Splunk Enterprise treats it as a local resource, even though the resource can theoretically be disconnected at a later time.
- A host has a resource that has been permanently mounted over a high-bandwidth network standard such as iSCSI, or to a Storage Area Network over fiber. As the standard treats such volumes as local block devices, such a resource would be considered local.
Get started with getting data in
Use forwarders to get data in
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4