Overview of getting data into Splunk Cloud
This topic provides an overview of the methods available to you for adding data to your Splunk Cloud deployment. For detailed information about what Splunk Cloud can index, see the Getting Data In manual.
Type of data that Splunk Cloud accepts
Splunk Cloud accepts a wide variety of data, including IT streaming, machine, and historical data such as Windows event logs, web server logs, live application logs, network feeds, system metrics, change monitoring, message queues, and archive files. Splunk Cloud can monitor relational databases and third-party infrastructures such as DB2, Cisco, Active Directory, Hadoop, and so on.
Splunk Cloud can monitor Windows-specific inputs such as:
Splunk Cloud can monitor other kinds of data sources. For example:
Options for getting data into Splunk Cloud
You can get data into your Splunk Cloud deployment as follows:
- Forward data from data sources
- Install Splunk apps and add-ons
- Send data using HTTP protocol
Splunk forwarders send data from a datasource to your Splunk Cloud deployment for indexing, which makes the data searchable. Forwarders are lightweight processes, so they can usually run on the machines where the data originates. To forward data to Splunk Cloud, you typically use the Splunk universal forwarder.
For forwarder installation instructions, see the topic for your data source platform:
The following diagram illustrates the topology of forwarding data from your corporate network to Splunk Cloud using the universal forwarder.
If you need to anonymize or otherwise preprocess data before it exits your enterprise network, or if a specific app or add-on that you are using does not support universal forwarders, use a heavy forwarder. For more information about heavy forwarders, see the Splunk Forwarding Data manual.
Note: By default, the universal forwarder can forward a maximum of 256 KB of data per second. As a best practice, do not exceed this limit. For more information, read Possible thruput limits in the Splunk Enterprise Troubleshooting Manual.
Use apps to get data in
Apps typically target specific data types and handle everything from configuring the inputs to generating useful views of the data. For example, the Splunk App for Windows Infrastructure provides data inputs, searches, reports, alerts, and dashboards for Windows host management. The Splunk App for Unix and Linux offers the same for Unix and Linux environments. There is a wide range of apps to handle specific types of application data, including the following:
Apps and add-ons that contain a data collection component should be installed on forwarders for their data collection functions. See Install apps in your Splunk Cloud deployment.
Add data using HTTP protocol
In addition, you can send data directly to Splunk Cloud using HTTP or HTTPS. To ensure that your credentials are never transmitted from your on-premises systems to Splunk Cloud, this feature uses token-based authentication. For a detailed discussion of the HTTP Event Collector, see the Introduction to Splunk HTTP Event Collector on the Splunk Developer Portal.
If you have a self-service Splunk Cloud deployment (including Splunk Light Cloud Service), use the following format for the URL that you use to access the HTTP event collector:
where XXXXXXX represents the ID assigned to your deployment.
To use the HTTP event collector or an app that relies on it (like Splunk App for Akamai) with a managed Splunk Cloud deployment), create a Splunk Support ticket requesting HTTP event collection to be enabled. Provide the following information:
- Name for data input
- Name for target index
- Source type to be applied to the data
- Amount of data per day that you expect to receive, and any details about your intended usage that will help Splunk Support estimate the number of HTTP connections per hour
In return, Splunk Support sends you the authorization token that is required to send HTTP events to Splunk Cloud.
Splunk Cloud Quick Start
Forward data to Splunk Cloud from Microsoft Windows
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 7.0.0, 7.0.2, 7.0.3, 7.0.5