Splunk Cloud

Splunk Cloud User Manual

Download manual as PDF

Download topic as PDF

Splunk Cloud data policies

Splunk Cloud administers your data according to the policies described below.

Data retention

When you send data to Splunk Cloud, it is stored in indexes. Splunk Cloud retains data based on index settings that enable you to specify when data is to be deleted or moved to self storage. To configure different data retention settings for different sources of data, store the data in separate indexes according to the desired retention policy.

You can configure the number of days for data to be searchable by configuring the Searchable time (days) setting for an individual index.

To do this, go to Settings > Indexes, and select the index for which you want to change retention settings. Under Actions, select Edit to open settings for the index. In the Searchable time (days) field, enter the number of days you would like the data to be searchable, and click Save

Index data is stored in directories called buckets. Data is deleted by deleting entire buckets, not individual events. When the maximum age or size of the Index is reached, buckets are deleted or moved starting with the oldest buckets first. Buckets are removed until the index no longer exceeds the configured limit. If you use data self storage or archiving, buckets are not deleted until the data is successfully moved to your self storage or archive location.

By default, data is retained for a maximum of 90 days. If you want to retain data for more than 90 days, contact Splunk Sales to purchase additional storage.

Data ingestion and daily license usage

Your Splunk Cloud license governs how much data you can load into your Splunk Cloud deployment per day (GMT). To see current and past daily data ingestion information in Splunk Web, use the Monitoring Console app. To do this, choose Apps, click Cloud Monitoring Console and navigate to the License Usage page. Splunk recommends you set up alerts in the system to monitor your license usage.

You can exceed your purchased daily index volume a maximum of five times in a calendar month. If you exceed your daily limit more than five times in a calendar month, what happens depends on the type of Splunk Cloud deployment you have, as follows:

  • Managed Splunk Cloud: Your Splunk sales representative may work with you to help you reduce your usage to stay within the purchased limit or to purchase the necessary increase. If you are unable or unwilling to abide by the applicable usage limit, you will pay any invoice for excess usage in accordance with your Terms of Service.
  • Self-service Splunk Cloud deployments: Your Splunk Cloud instance is locked. You can reset a locked instance three times in a 90-day period. To reset a locked instance, go to your Splunk customer portal and click the Unlock License button. To unlock your instance, your Splunk user must have administrator and instance owner level privilege.

If you consistently exceed your licensed limit, contact Splunk Sales to do a benchmark assessment to determine your volume needs and purchase an appropriate plan to handle your volume.

Backup policy

Splunk Cloud maintains a seven-day backup of data and configuration files. Backups run continuously.

PREVIOUS
Overview of Splunk Cloud administration
  NEXT
Monitor Splunk Cloud deployment health

This documentation applies to the following versions of Splunk Cloud: 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 8.0.0


Comments

In Splunk Enterprise and Splunk Cloud, the number of license violation is different as follows.
Is this correct?
-----------------------------------------------------------
- Splunk Enterprise: five or more warnings in a rolling 30 day period
https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/Aboutlicenseviolations

- Splunk Cloud: a maximum of five times in a calendar month
-----------------------------------------------------------
If yes, I think it should be explicitly stated that the Splunk Cloud violation policy is different from the Splunk Enterprise.

Hossyee
May 28, 2019

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters