Welcome to Splunk Cloud!
This manual contains information to help you get your data into Splunk Cloud, create reports and dashboards, and work with Splunk Support to administer Splunk Cloud and get help.
Splunk Cloud enables you to store, search, analyze, and visualize the machine-generated data gathered from the websites, applications, sensors, devices, and so on, that comprise your IT infrastructure or business. Splunk Cloud offers many of the features of Splunk Enterprise as a cloud service. You can use Splunk Cloud alone or with Splunk Enterprise on-premises software as a hybrid solution. Splunk Cloud deployments are continuously monitored and managed by the Splunk Cloud Operations team.
To send data to Splunk Cloud, you run forwarders on machines that have access to the source data. Splunk Cloud software ingests the forwarded data and indexes it, transforming it into searchable knowledge in the form of events. After event processing is complete, you can associate events with knowledge objects to enhance their usefulness. For example, you can use the search processing language or the interactive pivot feature to create reports and visualizations.
The Splunk Cloud Service
When you subscribe to the Splunk Cloud service, you get a dedicated Splunk deployment that is hosted in Amazon Web Services. Splunk Cloud is available in the following Amazon Web Services (AWS) regions: US (Virginia, Oregon, GovCloud), EU (Dublin, Frankfurt, London), Asia Pacific (Singapore, Sydney, Tokyo) and Canada (Central). For details, contact your sales representative or email firstname.lastname@example.org before purchasing.
Features of Splunk Cloud
|Indexing||Splunk software indexes machine data. This includes data from packaged and custom applications, application servers, web servers, databases, networks, virtual machines, telecoms equipment, operating systems, sensors, and so on, that make up your IT infrastructure. (More information)|
|Inputs Data Manager||The IDM is a hosted solution for Splunk Cloud for scripted and modular inputs. In a majority of cases, an IDM will obviate the need for customer-managed infrastructure. However, note that an IDM is not a one-to-one replacement for a heavy forwarder. You still need to use a heavy forwarder if you need to perform parsing or activities other than standard scripted and modular data inputs. As a best practice, cloud-based add-ons should be installed on an IDM, and on-premise-based add-ons should be installed on a forwarder or heavy forwarder. Note: If the add-on is tightly integrated with an Enterprise Security search head, you should not use IDM.|
|Data model||A data model is a hierarchically-structured search-time mapping of semantic knowledge about one or more datasets. It encodes the domain knowledge necessary to build a variety of specialized searches of those datasets. These specialized searches are used to generate reports for Pivot users. Data model objects represent different datasets within the larger set of indexed data. (More information)|
|Pivot||Pivot refers to the table, chart, or data visualization you create using the Pivot Editor. The Pivot Editor lets users map attributes defined by data model objects to a table or chart data visualization without having to write the searches to generate them. Pivots can be saved as reports and added to dashboards. (More information)|
|Search||Search is the primary way that you navigate data that you have stored in your Splunk deployment. You can write a search to retrieve events from an index, use statistical commands to calculate metrics and generate reports, search for specific conditions within a rolling time window, identify patterns in your data, predict future trends, and so on. You can save searches as reports and use them to power dashboard panels. (More information)|
|Alerts||Alerts are triggered when conditions are met by search results for both historical and real-time searches. Alerts can be configured to trigger actions such as sending alert information to designated email addresses, posting alert information to an RSS feed, or running a custom script, such as one that posts an alert event to syslog. (More information)|
|Reports||Reports are saved searches and pivots. You can run reports on an ad hoc basis, schedule them to run on a regular interval, or set scheduled reports to generate alerts when the results of their runs meet particular conditions. You can add reports to dashboards as dashboard panels. (More information)|
|Dashboards||Dashboards are made up of panels that contain modules such as search boxes, fields, charts, tables, forms, and so on. Dashboard panels are usually hooked up to saved searches or pivots. They can display the results of completed searches as well as data from backgrounded real-time searches. (More information)|
Differences between Splunk Cloud and Splunk Enterprise
Splunk Cloud provides a layer of security and operational control that causes it to differ from Splunk Enterprise, as follows:
|Feature||Splunk Enterprise||Splunk Cloud|
|Command line interface||Available||Splunk Cloud customers do not have access to the command line. You can perform many administrative tasks through the web browser, such as managing indexes and source types. Other tasks that require CLI access must be performed on your behalf by Splunk Support.|
|Apps||You decide what apps run in your deployment||Only apps that have been evaluated for security and stability and approved by Splunk are permitted to run in Splunk Cloud. You can use Splunk Web to install vetted apps.|
|Direct TCP and syslog inputs||Supported||You cannot send these types of data directly to Splunk Cloud. You must use an on-premises forwarder to send such data.|
|Scripted and modular inputs on the Search tier||Supported||Use Inputs Data Manager for scripted and modular inputs on the search tier. As a best practice, cloud-based add-ons should be installed on an IDM, and on-premise-based add-ons should be installed on a forwarder or heavy forwarder.|
|Scripted alerts||Supported||Supported only in the context of approved apps|
|License pooling||Supported||Not supported. The license manager is not Internet-accessible to Splunk Cloud customers.|
|HTTP event collector (HEC)||Enabled by default||For managed Splunk Cloud deployments, HEC uses port 443 (Splunk Enterprise uses port 8088).|
|Splunk API||Enabled by default||Disabled by default for managed Splunk Cloud deployments. Contact Splunk Support to enable access for managed Splunk Cloud deployments, Splunk Cloud trials, and sandboxes.|
Get help with Splunk Cloud
To learn more about Splunk features, see the manuals on the Splunk docs web site. To find other Splunk users near you, see the Splunk user group web site. To learn about how other organizations are succeeding with Splunk Cloud, watch On The Road with AAA and Splunk Cloud.
Splunk Technical Support
As a Splunk Cloud customer, you can rely on Splunk Support to administer and optimize Splunk Cloud for you. Contact Support in the following ways.
Contact Splunk Support to:
- Obtain REST API credentials
- Reset a user password
- Link to an LDAP directory
- Modify the configuration settings of your deployment
- Report an outage
- Report an issue
- Request a feature or change to your deployment
For details about the levels of technical support provided, read Support Programs. Only authorized support contacts from your company can open cases. Your Splunk support agreement specifies who your authorized contacts are. Your Support contract specifies a number of authorized contacts, and an expiration date. One of your contacts is a Support portal administrator, who can update the list. Only an authorized contact can open a case and track its status.
An authorized contact can file a case in one of two ways:
- Log in to splunk.com and navigate to the Support Portal.
- In Splunk Cloud, click About and select File a Bug.
Splunk Support portal
Designated Splunk Cloud users can manage operational contacts for their account and file support cases using the Support portal. Operational contacts are the people in your organization who are notified when their Splunk Cloud environment undergoes maintenance or experiences an event that affects performance.
To manage operational contacts:
- Go to My Operational Contacts in the Support portal.
- Follow the instructions on the page to add, edit, and remove operational contacts for your Splunk Cloud environment.
To file a case on the Support portal:
- From the Splunk installation is? dropdown, select the state of your deployment.
- In Subject, summarize your issue. Splunk Support sees the first 250 characters in this field.
- In What Product are you having trouble with? select Splunk Cloud.
- In What OS are you using? select Linux.
- Leave What OS Version are you using? blank.
- In I need help with... select a category that applies to your issue.
- In What is the impact... explain briefly how this issue disrupts your work.
- In the Problem Description, be thorough. For issues (as opposed to enhancement requests), include the exact time of the issue and its duration, the type of Splunk instance experiencing the issue (for example, forwarder, search head, or indexers), and any relevant screen shots.
- Include Steps to reproduce if you've found a specific scenario that triggers the issue.
- Click Submit. The portal directs you to a screen with a case number and sends you an email containing the case number.
Splunk Support replies to the case creator by email. You can update the case by replying to the email (be sure to keep the tracking ID in the email subject line). You can also update the case, check on its status, or close a case using the support portal.
Types of Splunk Cloud deployment
This documentation applies to the following versions of Splunk Cloud™: 7.0.0, 7.0.2, 7.0.3, 7.0.5, 7.0.8, 7.1.3, 7.1.6, 7.2.3, 7.2.4, 7.2.6