Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Acrobat logo Download topic as PDF

Welcome to the Splunk Cloud Admin Manual

This manual contains information to help you get your data into Splunk Cloud.

Splunk Cloud delivers the benefits of award-winning Splunk® Enterprise as a cloud-based service. Using Splunk Cloud, you gain the functionality of the Splunk Enterprise platform for collecting, searching, monitoring, reporting, and analyzing all of your real-time and historical machine data using a cloud service that is centrally and uniformly delivered by Splunk to its large number of cloud customers, from Fortune 100 companies to small and medium-size businesses. Splunk manages and updates the Splunk Cloud service uniformly, so all customers of Splunk Cloud receive the most current features and functionality.

Features of Splunk Cloud

Splunk Cloud is available in multiple regions. For details please refer to the Splunk Cloud Service Description. The following table lists major features of Splunk Cloud.

Feature Description
Data Collection You can send data to Splunk Cloud as follows:

Using Splunk forwarders: There are two types of forwarder software: universal forwarder and heavy forwarder. In most situations, the universal forwarder is the best forwarder for Splunk Cloud since it includes the essential components that it needs to forward data, uses significantly fewer hardware resources and is inherently scalable. For certain use cases when data needs to be parsed prior to forwarding or data needs to be forwarded based on criteria such as source or type of event, a heavy forwarder is required.

Using HTTP Event Collector (HEC): HEC lets you send data and application events using a token-based authentication mode to Splunk Cloud over the Secure HTTP (HTTPS) protocol. You can generate a token and then configure a logging library or HTTPS client with the token to send data to HEC in a specific format.

Using AWS Kinesis Data Firehose: AWS Kinesis Data Firehose is a fully managed, scalable, and serverless option for streaming data from various AWS services directly into Splunk Cloud.

Ingestion Splunk Cloud indexes incoming data so you can search it. During indexing, data is partitioned into logical indexes, which you can configure to facilitate searching and control users' access to data in specific indexes.
Inputs Data Manager The Inputs Data Manager (IDM) is a hosted solution for Splunk Cloud for scripted and modular inputs. To use scripted or modular inputs, you must package them in a private app and request that Support uploads it to your IDM. The app must be vetted like any other private app. However, note that an IDM is not a one-to-one replacement for a heavy forwarder. You still need to use a heavy forwarder if you need to perform parsing or activities other than standard scripted and modular data inputs. As a best practice, cloud-based add-ons should be installed on an IDM, and on-premise-based add-ons should be installed on a forwarder or heavy forwarder. Note: If the add-on is tightly integrated with an Enterprise Security search head, you should not use IDM.
Retention When you send data to Splunk Cloud, it is stored in indexes and you can self-manage your Splunk Cloud indexes settings using the Indexes page in Splunk Web. Splunk Cloud retains data based on index settings that enable you to specify when data is to be deleted. To configure different data retention settings for different sources of data, store the data in separate indexes according to the desired retention policy. You can configure different data retention policies for individual indexes according to your auditing and compliance requirements. Each index allows you to specify the maximum age of events in the index (specified in the Retention (days) field) on the Indexes page uses to determine when to delete data. When the index reaches the specified maximum age, the oldest data is deleted.
Search Splunk Cloud allows you to search and navigate all of the machine data that you ingest into the service. Searches can be done using the Splunk Search Processing Language (SPL), or using alternative ways to display and analyze data graphically without composing SPL queries. Searches can be ad-hoc and scheduled, with results in the form of visualizations, reports, and alerts.
Reports Reports are saved searches and pivots. You can run reports on an ad hoc basis, schedule them to run on a regular interval, or set scheduled reports to generate alerts when the results of their runs meet particular conditions. You can add reports to dashboards as dashboard panels. (More information)
Dashboards Dashboards are made up of panels that contain modules such as search boxes, fields, charts, tables, forms, and so on. Dashboard panels are usually hooked up to saved searches or pivots. They can display the results of completed searches as well as data from backgrounded real-time searches. (More information)
Administration You can use Splunk Cloud to performing the following administrative tasks:

In Splunk Cloud, you usually use Splunk Web to perform administrative tasks. Unlike Splunk Enterprise, you do not have access to the command line or file system of your Splunk Cloud deployment, so you cannot use CLI commands or manually edit .conf files. If there is a task that you need to perform, but cannot do so from the Splunk Web interface, you can file a ticket using the Support Portal.

REST API access Many administrative tasks can be done using the Splunk REST API. Splunk Cloud supports the same REST endpoints as Splunk Enterprise. For details about REST endpoints, refer to the REST API Reference Manual. To use the REST API, you must have a paid subscription to Splunk Cloud.

You cannot use SAML authentication with the REST API.

To enable the Splunk REST API and SDKs:

  1. Submit a support case on the Support Portal to request access. You can specify a range of IP addresses to control who can access the REST API.
  2. After you have gained access, use the following URL: https://<deployment-name>.cloud.splunk.com:8089

Supported browsers

Splunk Cloud supports the following browsers:

  • Chrome (latest)
  • Firefox (latest)
  • Internet Explorer 11 (Splunk Cloud does not support this browser in Compatibility Mode.)
  • Safari (latest)

Third Party Documentation

As a convenience, this document includes instructions for using non-Splunk software to get data from varying platforms into Splunk Cloud. Splunk does not warrant the performance of non-Splunk software based on the instructions in this documentation. Please review the product documentation provided by the other software providers before following these instructions. The screenshots and instructions in this documentation are updated on a best-effort basis.

Splunk Technical Support

Splunk Standard Support is included in every Splunk Cloud subscription. For details about the levels of technical support provided, read Support Programs. Only authorized support contacts from your company can open cases. Your Splunk support agreement specifies who your authorized contacts are. Your Support contract specifies a number of authorized contacts, and an expiration date. One of your contacts is a Support portal administrator, who can update the list. Only an authorized contact can open a case and track its status. An authorized contact can file a case in one of two ways:

  • Log in to splunk.com and navigate to the Support Portal.
  • In Splunk Cloud, click About and select File a Bug.

Splunk Support portal

Designated Splunk Cloud users can manage operational contacts for their account and file support cases using the Support portal. Operational contacts are the people in your organization who are notified when their Splunk Cloud environment undergoes maintenance or experiences an event that affects performance.

To manage operational contacts:

  1. Go to My Operational Contacts in the Support portal.
  2. Follow the instructions on the page to add, edit, and remove operational contacts for your Splunk Cloud environment.

To file a case on the Support portal:

  1. From the Splunk installation is? dropdown, select the state of your deployment.
  2. In Subject, summarize your issue. Splunk Support sees the first 250 characters in this field.
  3. In What Product are you having trouble with? select Splunk Cloud.
  4. In What OS are you using? select Linux.
  5. Leave What OS Version are you using? blank.
  6. In I need help with... select a category that applies to your issue.
  7. In What is the impact... explain briefly how this issue disrupts your work.
  8. In the Problem Description, be thorough. For issues (as opposed to enhancement requests), include the exact time of the issue and its duration, the type of Splunk instance experiencing the issue (for example, forwarder, search head, or indexers), and any relevant screen shots.
  9. Include Steps to reproduce if you've found a specific scenario that triggers the issue.
  10. Click Submit. The portal directs you to a screen with a case number and sends you an email containing the case number.

Splunk Support replies to the case creator by email. You can update the case by replying to the email (be sure to keep the tracking ID in the email subject line). You can also update the case, check on its status, or close a case using the support portal.

Splunk community

The Splunk user community is a great resource. Check out Splunk Answers, where you can ask and answer questions about the product. There are also a number of other ways to get involved in the Splunk community, such as user groups or the Splunk Trust. For more information about getting involved with the Splunk community, see the Community portal.

Learn more about Splunk products

For detailed information about the Splunk platform, see the following resources:

About apps and add-ons

Apps and add-ons extend the power of Splunk products to help you get value from your data faster. To browse Splunk apps and add-ons, see Splunkbase. If you develop your own app, read Splunk Developer Guidance. For an example of a properly constructed app, see the Splunk Reference App.

Last modified on 18 May, 2021
Splunk Cloud Platform deployment types

This documentation applies to the following versions of Splunk Cloud Platform: 8.0.2006, 8.0.2007, 8.1.2009, 8.1.2011, 8.1.2012, 8.1.2101

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters