Is my data local or remote?
If you use Splunk Cloud Platform or run Splunk Enterprise in the cloud, all data that you index is remote. If you use Splunk Enterprise on-premises, the answer to whether your data is local or remote depends on a number of things:
- The operating system on which your Splunk Enterprise instance resides.
- Where the data is physically.
- The types of data storage that are connected to the Splunk Enterprise instance.
- Whether or not you need to perform any authentication or other intermediate to access the data store that contains the data you want to index.
Local data
A local resource is a fixed resource that your Splunk Enterprise instance has direct access to. You are able to access a local resource, and whatever it contains, without having to attach, connect, or perform any other intermediate action, such as authenticating or mapping a network drive. If your data is on such a resource, the data is local.
Here are some examples of local data:
- Data on a hard disk or solid state drive installed in a desktop, laptop, or server host.
- Data on a resource that has been permanently mounted over a high-bandwidth physical connection that the machine can access at boot time.
- Data on a RAM disk.
Remote data
A remote resource is any resource that doesn't meet the definition of a local resource. Data that exists on such a resource is remote data.
Here are some examples of remote resources:
- Network drives on Windows hosts.
- Active Directory schemas.
- NFS or other network-based mounts on *nix hosts.
- Most cloud-based resources.
Remote data exceptions
There are some cases where resources might be considered remote, but they are actually local:
- A host has a volume that has been permanently mounted over a high-bandwidth physical connection, like USB or FireWire. Because the computer can mount the resource at boot time, Splunk Enterprise treats it as a local resource, even though the resource can theoretically be disconnected at a later time.
- A host has a resource that has been permanently mounted over a high-bandwidth network standard, like iSCSI, or to a Storage Area Network over fiber. Because the standard treats such volumes as local block devices, such a resource is considered local.
Get started with getting data in | Use forwarders to get data into Splunk Cloud Platform |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!