Splunk Cloud

Splunk Cloud Service Description

Download manual as PDF

Download topic as PDF

Splunk Cloud Service Details

Splunk Cloud is a cloud-based service that enables you to store, search and analyze machine data generated by your corporate IT infrastructure and related technologies. Splunk Cloud provides the following capabilities:

  • Data collection: Splunk Cloud provides several options for sending data from a variety of sources to your Splunk Cloud deployment.
  • Ingestion: Splunk Cloud prepares incoming data for searching.
  • Storage: Your data is stored in a manner that is optimized for the cloud. You can configure data retention according to your auditing and compliance requirements.
  • Search: Your users can correlate data, visualize results, generate reports and alerts, and more.
  • Apps and premium solutions: Access to certain pre-configured dashboards, reports, data inputs, and saved searches that provide domain-specific solutions.

Pricing for Splunk Cloud is based on the volume of uncompressed data that you plan to index on a daily basis. You can purchase more storage and an encryption-at-rest option for an additional fee.

Splunk Cloud capabilities

The Splunk Cloud service provides the following capabilities.

Data Collection

To enable you to gather data from your applications, cloud services, servers, network devices, and sensors, Splunk Cloud provides software and APIs as part of the service. The amount of data that you can collect daily is determined by the level of subscription that you purchase, and you always have the option to elect a higher-level subscription to increase the amount of data that you can collect. For details about limits on data collection, refer to Splunk Cloud data policies in the Splunk Cloud User Manual. You can send data to Splunk Cloud as follows:

  • Using Splunk forwarders
  • Over HTTP
  • Using Splunk add-ons

For security, data in transit is SSL-encrypted. Senders and receivers authorize each other, and HTTP-based data collection is secured using token-based authentication. Data is collected only from white-listed IP addresses.


During ingestion, Splunk Cloud indexes incoming data so you can search it. To verify that all the data that you send for indexing is received, you can enable the Splunk “acknowledgement” feature. During indexing, data is partitioned into logical indexes, which you can configure to facilitate searching and control users’ access to data.


After ingestion, your data is stored in the cloud for searching in the supported AWS region(s) of your choosing. You can configure different data retention policies for individual indexes according to your auditing and compliance requirements. When you subscribe, you can choose to have your data encrypted at rest using AES 256-bit encryption for an additional charge. If you choose encryption at rest, Splunk manages the keys on your behalf. Your subscription includes data storage space sufficient for storing up to 90 days of the daily maximum that you license. You can purchase additional storage space in increments of 500 GB per year.


To search the data that you have stored using Splunk Cloud, you can use the Splunk Search Processing Language (SPL). Using SPL, you can create:

  • Ad-hoc searches
  • Scheduled searches
  • Visualizations
  • Reports
  • Alerts
  • More…

Splunk software also provides several ways to display and analyze data graphically, without composing SPL queries.

Splunk Cloud also supports hybrid search from Splunk Enterprise to Splunk Cloud. This support only covers ad hoc searching across these products. Premium solutions such as Enterprise Security and IT Service Intelligence are not supported at this time. Splunk Enterprise must be the same version as Splunk Cloud.

The recommended use case is for ad hoc searches. Splunk Enterprise must be the same version as Splunk Cloud.

Apps and Premium Solutions

You can use Splunk apps to extend the functionality of your Splunk Cloud deployment. To ensure security and minimize effects on performance, only approved Splunk apps can run on Splunk Cloud. Apps that are Splunk Cloud approved and publicly available are listed in the Splunk Cloud product category on Splunkbase. Some approved apps can be self-service installed on Splunk Cloud. Other approved apps must be installed by the Splunk support team.

Customer private apps that are Splunk Cloud approved must be installed by a member of the Splunk support team. If you have private apps that are not Splunk Cloud approved, you can submit the apps for approval by Splunk. There is no charge for app review, although you are responsible for the cost of any licenses required to run your apps.

Customers can optionally purchase Splunk premium solutions to run on Splunk Cloud. Splunk premium solutions must be installed by the Splunk support team.

For more information about running Apps and Premium solutions on Splunk Cloud, see Install apps in your Splunk Cloud deployment and Manage a rolling restart in Splunk Cloud.

Connectivity in Splunk Cloud

Splunk Cloud provides public endpoints to connect to your instance. Data sent from your network to these endpoints is routed over public Internet, and then routed to your Splunk Cloud instance in an AWS Virtual Private Cloud (VPC). If you use private connectivity services such as AWS Direct Connect, you must use a public virtual interface to connect to Splunk Cloud.

If you use the Elastic Load Balancer (ELB) service in AWS, data from your network to the ELB is routed over public Internet, and data from the ELB to Splunk Cloud is routed privately in the VPC.

If you use the Kinesis Data Firehose service for data ingestion, ensure the stream buffer setting is properly configured and the Splunk HTTP Event Collector (HEC) is enabled.

Forwarders and HTTP Event Collectors compress data when sending over TLS protocol. The amount of compression varies based on the content. For bandwidth planning, assume a compression ratio between 1:8 and 1:12.

User management in Splunk Cloud

Users are authenticated through Splunk role-based access control, LDAP, Active Directory, or by integrating single sign-on with third-party identity providers. To control users' access to data, Splunk Cloud administrators create user accounts and assign roles to them. Roles are composed of individual capabilities that control access to specific features. For administrators, Splunk Cloud provides the sc_admin role, which has the capabilities required to administer Splunk Cloud without compromising the Splunk Cloud deployment.

Differences between Splunk Cloud and Splunk Enterprise

Splunk Enterprise runs on customer hardware and networks and is installed and maintained by customers. Splunk Cloud is a cloud-based service. Customers who are familiar with Splunk Enterprise architecture should not make assumptions about the architecture or operational aspects of Splunk software deployed in the Splunk Cloud service. Specifically, Splunk Cloud differs from Splunk Enterprise as follows:

  • Command line interface (CLI): Splunk Cloud customers do not have access to the command line. You can perform many administrative tasks through the web browser, such as managing indexes and source types. Tasks that require CLI access can be performed on your behalf by Splunk Support.
  • Apps: Only apps that have been inspected and approved for Splunk Cloud are permitted to run in a Splunk Cloud deployment.
  • No inputs on the search tier: Splunk does not support the use of inputs.conf on the search tier of managed Splunk Cloud instances. Splunk Cloud uses the Packaging Toolkit to partition apps into appropriate packages for the search tier, indexing tier, and forwarder tier. You are responsible for installing the data collection components of any app you wish to use in Splunk Cloud on a Splunk Forwarder under your control. If direct input on the search tier is required and you are unable to deploy forwarders, you can request that Splunk Cloud deploy data ingestion processes on the Splunk Cloud search tier, but this approach is not subject to Splunk Cloud SLAs.
  • Direct monitoring of TCP, UDP, file and syslog inputs: Splunk Cloud does not accept such data directly. You must use Splunk forwarder software to send such data to your Splunk Cloud deployment.
  • License pooling: You cannot use license pooling in Splunk Cloud.
  • Native alerts: Because you do not have system-level access, you cannot define alerts that run operating-system scripts or use other system services (although approved apps can do so). Alerts can be sent via email or HTTPS POST using Splunk webhooks. You might be required to set up an endpoint inside your network. If you have both Splunk Enterprise and Splunk Cloud, you can run an on-premises search head to support searches that require alert actions.
  • Search Performance: Splunk Cloud leverages a multi-tier storage architecture and manages the movement of data to optimize performance based on user search patterns. Generally, recently processed data (recently ingested, searched, analyzed for machine learning, and so on) will have better performance than data that has not been processed for some time. This behavior applies to all data, including metrics data.
  • Two-factor authentication: Splunk Cloud does not support Duo two-factor authentication.

In Splunk Enterprise, the HTTP Event Collector and REST API are enabled by default. In Splunk Cloud, you must request enablement by filing a Support ticket.


Because Splunk Cloud is a hosted service, you do not have system-level access to the machines on which it runs, which means that many tasks that require command-line access must be performed on your behalf by Splunk Support.

What Splunk does…

  • Getting started: When you first subscribe to Splunk Cloud, Splunk sends you a welcome email containing the details required for you to access your Splunk Cloud deployment and get started. This email contains a lot of important details, so keep it handy.
  • Upgrade the software: As Splunk releases new versions of Splunk Cloud, we will notify you to schedule maintenance windows during which we upgrade your Splunk Cloud deployment. The length of the upgrade window depends on your configuration and on average can range from two to six hours.

What you do…

  • Configure data collection: To send data to your Splunk Cloud deployment, you must install, configure, and manage forwarders, HTTP event collector settings, and add-ons in your corporate network. For detailed instructions, refer to the Getting Data In manual.
  • Monitor your consumption: Your license limits the amount of data per day that you can send to your Splunk Cloud deployment.
  • Request app activation: For apps that you cannot activate yourself, file a Support ticket requesting activation. If you develop apps that you want to run in your Splunk Cloud deployment, you must submit them to Splunk for approval.
  • Manage users and roles: You must create user accounts and assign roles to them. If you intend to use your own third-party identity provider for authentication, you must configure single sign-on.
  • Upgrade forwarders: Within 90 days of being upgraded to a new version of Splunk Cloud, you must upgrade your forwarders to this same new version number.

Technical support

Technical support is included in every Splunk Cloud subscription. When you subscribe, you designate support contacts who are permitted to open cases with Splunk Support. To open a case, go to the Splunk Support Portal.

Splunk Support does not perform move, add, change, delete (MACD) or administrative tasks that are sometimes included in managed services. You must administer your own Splunk Cloud deployment or contract with partners or Splunk for additional services.

For P1 cases where the Splunk Cloud service is completely inaccessible, you can request a Root Cause Analysis (RCA) within 24 hours of incident resolution.


The security and privacy of your data is of the utmost importance to you and your organization, and Splunk makes this a top priority. Splunk Cloud service is designed and delivered using key security controls such as:

Instance Security: Every Splunk Cloud deployment runs in a secured environment on a stable operating system and in a network that is hardened to industry standards using a default-deny firewall policy, which permits access only to specific IP addresses and services. Your deployment is regularly scanned for host- and application-level threats.

Isolation of Data and Service: In the cloud, your data is logically isolated from other customers’ data, so your performance and data integrity cannot be affected by other customers who are using the Splunk Cloud service.

Data Encryption: All data in transit to and from Splunk Cloud is encrypted using SSL. To encrypt data at rest, you can purchase AES 256-bit encryption for an additional charge. Keys are rotated regularly and monitored continuously.

User Authentication and Access: You can configure authentication using Lightweight Directory Access Protocol (LDAP), Active Directory (AD), and single sign-on using any SAML v2 identity provider. To control what your Splunk Cloud users can do, you assign them roles that have a defined set of specific capabilities. Splunk Cloud enables you to configure account policies that require unique user names, minimum password length, and regular password resets with supported SAML v2 identify providers and LDAP. To enable two-factor authentication, customers must configure a SAML v2 identity provider that supports two-factor authentication.

Data Handling: You can store your data in one of the following Amazon Web Services (AWS) regions:

  • US (Virginia, California, Oregon, GovCloud)
  • EU (Dublin, Frankfurt, London)
  • Asia Pacific (Singapore, Sydney, Tokyo)
  • South America (São Paulo)

Data is kept in the region you choose. If you need to store your data in more than one region, you can purchase multiple subscriptions. Data is retained in Splunk Cloud according to the volumes, durations, and index configurations you set. Expired data is deleted based on your pre-determined schedule.

For the purposes of disaster recovery, your configuration and recently-ingested data is backed up on a rolling seven-day window. If you unsubscribe, you can take your data with you to an alternative storage container, such as AWS S3 bucket, prior to deletion. Depending on the amount of data and the work involved, we may charge for this service. For more information on Splunk Cloud data management, please review the documentation at Splunk Cloud data policies and Manage Splunk Cloud indexes in the Splunk Cloud User Manual.

Security Controls and Background Screening: Splunk security controls are described in our most recent Service Organization Control II, Type II Report (SOC 2/Type 2 Report). Splunk conducts criminal background checks on its employees prior to hire, as permitted by law.

App Security: All Splunk apps hosted on Splunk Cloud by Splunk are examined by Splunk engineers to ensure that they comply with the Splunk Cloud app requirements and best practices. The Splunk App Certification Program provides a set of best practices for app developers. For details about how to submit an app for evaluation for Splunk Cloud readiness, see the Splunk Developer web page.

Standards compliance and certifications

Splunk has attained a number of compliance attestations and certifications from industry-leading auditors as part of our commitment to adhere to industry standards worldwide.

SOC 2 Type II: Splunk Cloud is SOC 2 Type 2-compliant. The SOC 2 audit assesses an organization's security, availability, process integrity, and confidentiality processes to provide assurance about the systems that a company uses to protect customers' data.

ISO 27001: Splunk Cloud is ISO/IEC 27001:2013-certified. ISO/IEC 27001:2013 is a standard for an information security management system, specifying the policies and procedures for all legal, physical, and technical controls used by an organization to minimize risk to information. (View certificate of verification.)

Splunk Cloud service limits and constraints

The following are Splunk Cloud service limits and constraints. This list should be used as guidance to ensure the best Splunk Cloud experience. Keep in mind that some limits depend on configuration, system load, performance and available resources. Contact Splunk if your requirements are different or exceed what is recommended below.

Category Service Component Supported Limit Additional Information
Apps and Premium Solutions App installation N/A Some apps that are Splunk Cloud approved and publicly available can be self-service installed on Splunk Cloud. Other approved public apps must be installed by the Splunk support team. Customer private apps that are Splunk Cloud approved must be installed by a member of the Splunk support team.
Ingestion Active indexes per Splunk Cloud environment 400 The best practice is to maintain no more than the upper limit of active indexes per Splunk Cloud environment.
Search Search concurrency per Splunk Cloud environment 38 Keep in mind that search concurrency is dependent on customer configuration. There is a limit to the number of searches that each Splunk Cloud environment can concurrently process. If the limit is reached, searches are queued, which can result in delays to producing search results.
Search Search Concurrency for Premium Solutions 38 When using premium solutions such as Enterprise Security and IT Service Intelligence in Splunk Cloud, additional search processes are available per premium solution. These additional search processes are additive to the Search Concurrency per Splunk Cloud environment.
Search Join for subsearch 50,000 The join command is used to combine the results of a subsearch with the results of a main search. This limit is the maximum number of result rows in the output of a subsearch that can be joined against a main search. Refer to Splunk Cloud documentation of the join command for more information.
Search Hybrid search N/A Splunk Cloud supports hybrid search from Splunk Enterprise to Splunk Cloud. Splunk Enterprise must be a compatible version to Splunk Cloud to enable hybrid search. The recommended use case is for ad hoc searches. Refer to Splunk Cloud documentation of hybrid search for more information.
Security Whitelist IP address rules per Splunk Cloud environment 100 Customers specify the IP address or IP address range that is permitted to access Splunk Cloud and those from which Splunk can collect data. These are generically referred to as whitelist IP address rules. There is a limit to the total number of whitelist IP address rules per Splunk Cloud environment.
Security Two-factor authentication N/A To enable two-factor authentication, customers must configure a SAML v2 identity provider that supports two-factor authentication.

More information

The following links provide information about the terms and policies that pertain to the Splunk Cloud service:


This documentation applies to the following versions of Splunk Cloud: 6.6.0, 6.6.1, 6.6.3, 7.0.0, 7.0.2, 7.0.3


Thanks for pointing it out, Rlarkmanbugsense. We've updated the page with that information.

Andrewb splunk, Splunker
March 29, 2018

London is now available as an AWS region, so this page needs updating.

March 29, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters