Splunk Cloud Platform

Getting Data In

Is my data local or remote?

If you use Splunk Cloud Platform or run Splunk Enterprise in the cloud, all data that you index is remote. If you use Splunk Enterprise on-premises, the answer to whether your data is local or remote depends on a number of things:

  • The operating system on which your Splunk Enterprise instance resides.
  • Where the data is physically.
  • The types of data storage that are connected to the Splunk Enterprise instance.
  • Whether or not you need to perform any authentication or other intermediate to access the data store that contains the data you want to index.

Local data

A local resource is a fixed resource that your Splunk Enterprise instance has direct access to. You are able to access a local resource, and whatever it contains, without having to attach, connect, or perform any other intermediate action, such as authenticating or mapping a network drive. If your data is on such a resource, the data is local.

Here are some examples of local data:

  • Data on a hard disk or solid state drive installed in a desktop, laptop, or server host.
  • Data on a resource that has been permanently mounted over a high-bandwidth physical connection that the machine can access at boot time.
  • Data on a RAM disk.

Remote data

A remote resource is any resource that doesn't meet the definition of a local resource. Data that exists on such a resource is remote data.

Here are some examples of remote resources:

  • Network drives on Windows hosts.
  • Active Directory schemas.
  • NFS or other network-based mounts on *nix hosts.
  • Most cloud-based resources.

Remote data exceptions

There are some cases where resources might be considered remote, but they are actually local:

  • A host has a volume that has been permanently mounted over a high-bandwidth physical connection, like USB or FireWire. Because the computer can mount the resource at boot time, Splunk Enterprise treats it as a local resource, even though the resource can theoretically be disconnected at a later time.
  • A host has a resource that has been permanently mounted over a high-bandwidth network standard, like iSCSI, or to a Storage Area Network over fiber. Because the standard treats such volumes as local block devices, such a resource is considered local.
Last modified on 27 February, 2023
Get started with getting data in   Use forwarders to get data into Splunk Cloud Platform

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308 (latest FedRAMP release), 9.1.2312, 9.2.2403

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters