Welcome to the Splunk Cloud Platform Admin Manual
This manual contains information to help you administer your Splunk Cloud Platform deployment.
Splunk Cloud Platform delivers the benefits of award-winning Splunk® Enterprise as a cloud-based service. Using Splunk Cloud Platform, you gain the functionality of the Splunk Enterprise platform for collecting, searching, monitoring, reporting, and analyzing all of your real-time and historical machine data using a cloud service that is centrally and uniformly delivered by Splunk to its large number of cloud customers, from Fortune 100 companies to small and medium-size businesses. Splunk manages and updates the Splunk Cloud Platform service uniformly, so all customers of Splunk Cloud Platform receive the most current features and functionality.
If you're a new Splunk Cloud Platform administrator, or a Splunk Enterprise administrator planning a move to Splunk Cloud Platform, visit the Splunk Cloud Platform Migration section of the Splunk Lantern Resource Hub for helpful guidance from Splunk experts.
Splunk Cloud Platform features
Splunk Cloud Platform is available in multiple regions. For details please refer to the Splunk Cloud Platform Service Description. The following table lists major features of Splunk Cloud Platform.
|Data Collection||You can send data to Splunk Cloud Platform as follows:
Using Splunk forwarders: There are two types of forwarder software: universal forwarder and heavy forwarder. In most situations, the universal forwarder is the best forwarder for Splunk Cloud Platform since it includes the essential components that it needs to forward data, uses significantly fewer hardware resources and is inherently scalable. For certain use cases when data needs to be parsed prior to forwarding or data needs to be forwarded based on criteria such as source or type of event, a heavy forwarder is required.
Using HTTP Event Collector (HEC): HEC lets you send data and application events using a token-based authentication mode to Splunk Cloud Platform over the Secure HTTP (HTTPS) protocol. You can generate a token and then configure a logging library or HTTPS client with the token to send data to HEC in a specific format.
Using AWS Kinesis Data Firehose: AWS Kinesis Data Firehose is a fully managed, scalable, and serverless option for streaming data from various AWS services directly into Splunk Cloud Platform.
|Ingestion||Splunk Cloud Platform indexes incoming data so you can search it. During indexing, data is partitioned into logical indexes, which you can configure to facilitate searching and control users' access to data in specific indexes.|
|Inputs Data Manager||The Inputs Data Manager (IDM) is a hosted solution for Splunk Cloud Platform that supports scripted and modular inputs for customers on the Classic Experience. To use scripted or modular inputs, you must package them in a private app and request that Support uploads the app to your IDM. The app must be vetted like any other private app.|
The IDM is not a one-to-one replacement for a heavy forwarder. You must still use a heavy forwarder if you need to perform parsing or activities other than standard scripted and modular data inputs. As a best practice, cloud-based add-ons should be installed on an IDM, and on-premise-based add-ons should be installed on a forwarder or heavy forwarder.
If the add-on is tightly integrated with an Enterprise Security search head, you should not use the IDM.
For more information on using the IDM with the Classic Experience, see Work with Inputs Data Manager.
For more information about the Splunk Cloud Platform Classic and Victoria Experiences, see the following:
|Retention||When you send data to Splunk Cloud Platform, it is stored in indexes and you can self-manage your Splunk Cloud Platform indexes settings using the Indexes page in Splunk Web. Splunk Cloud Platform retains data based on index settings that enable you to specify when data is to be deleted. To configure different data retention settings for different sources of data, store the data in separate indexes according to the desired retention policy. You can configure different data retention policies for individual indexes according to your auditing and compliance requirements. Each index allows you to specify the maximum age of events in the index (specified in the Retention (days) field) on the Indexes page uses to determine when to delete data. When the index reaches the specified maximum age, the oldest data is deleted.|
|Search||Splunk Cloud Platform allows you to search and navigate all of the machine data that you ingest into the service. Searches can be done using the Splunk Search Processing Language (SPL), or using alternative ways to display and analyze data graphically without composing SPL queries. Searches can be ad-hoc and scheduled, with results in the form of visualizations, reports, and alerts.|
|Reports||Reports are saved searches and pivots. You can run reports on an ad hoc basis, schedule them to run on a regular interval, or set scheduled reports to generate alerts when the results of their runs meet particular conditions. You can add reports to dashboards as dashboard panels. (More information)|
|Dashboards||Dashboards are made up of panels that contain modules such as search boxes, fields, charts, tables, forms, and so on. Dashboard panels are usually hooked up to saved searches or pivots. They can display the results of completed searches as well as data from backgrounded real-time searches. (More information)|
|Administration||You can use Splunk Cloud Platform to perform the following administrative tasks:
In Splunk Cloud Platform, you usually use Splunk Web to perform administrative tasks. Unlike Splunk Enterprise, you do not have access to the command line or file system of your Splunk Cloud Platform deployment, so you cannot use CLI commands or manually edit .conf files. If there is a task that you need to perform, but cannot do so from the Splunk Web interface, you can file a ticket using the Support Portal.
|REST API access||Some administrative tasks can be done using the Splunk REST API. Splunk Cloud Platform supports a subset of the REST API endpoints available in Splunk Enterprise. For more information on supported REST endpoints, see the REST API Reference Manual. To use the REST API, you must have a paid subscription to Splunk Cloud Platform.|
To enable the Splunk REST API and SDKs:
Splunk Cloud Platform supports the following browsers:
- Chrome (latest)
- Firefox (latest)
- Safari (latest)
Third Party Documentation
As a convenience, this document includes instructions for using non-Splunk software to get data from varying platforms into Splunk Cloud Platform. Splunk does not warrant the performance of non-Splunk software based on the instructions in this documentation. Please review the product documentation provided by the other software providers before following these instructions. The screenshots and instructions in this documentation are updated on a best-effort basis.
Splunk Technical Support
Splunk Standard Support is included in every Splunk Cloud Platform subscription. For details about the levels of technical support provided, read Support Programs. Only authorized support contacts from your company can open cases. Your Splunk support agreement specifies who your authorized contacts are. Your Support contract specifies a number of authorized contacts, and an expiration date. One of your contacts is a Support portal administrator, who can update the list. Only an authorized contact can open a case and track its status. An authorized contact can file a case in one of two ways:
- Log in to splunk.com and navigate to the Support Portal.
- In Splunk Cloud Platform, click About and select File a Bug.
Splunk Support portal
Splunk Cloud Platform users who are registered with Splunk Support as a Splunk Cloud entitlement contact for their account can manage operational contacts for their account and file support cases using the Support portal. Operational contacts are the people in your organization who are notified when their Splunk Cloud Platform environment undergoes maintenance or experiences an event that affects performance.
For more information on working with Splunk Support and understanding the difference between entitlement and operational contacts, visit the Splunk website and log into the Support Portal.
To manage operational contacts:
- Go to My Operational Contacts in the Support portal.
- Follow the instructions on the page to add, edit, and remove operational contacts for your Splunk Cloud Platform environment.
To file a case on the Support Portal:
- From the Splunk installation is? dropdown, select the state of your deployment.
- In Subject, summarize your issue. Splunk Support sees the first 250 characters in this field.
- In What Product are you having trouble with? select Splunk Cloud.
- In What OS are you using? select Linux.
- Leave What OS Version are you using? blank.
- In I need help with... select a category that applies to your issue.
- In What is the impact... explain briefly how this issue disrupts your work.
- In the Problem Description, be thorough. For issues (as opposed to enhancement requests), include the exact time of the issue and its duration, the type of Splunk instance experiencing the issue (for example, forwarder, search head, or indexers), and any relevant screen shots.
- Include Steps to reproduce if you've found a specific scenario that triggers the issue.
- Click Submit. The portal directs you to a screen with a case number and sends you an email containing the case number.
Splunk Support replies to the case creator by email. You can update the case by replying to the email (be sure to keep the tracking ID in the email subject line). You can also update the case, check on its status, or close a case using the support portal.
The Splunk user community is a great resource. Check out Splunk Answers, where you can ask and answer questions about the product. There are also a number of other ways to get involved in the Splunk community, such as user groups or the Splunk Trust. For more information about getting involved with the Splunk community, see the Community portal.
Learn more about Splunk products
For detailed information about the Splunk platform, see the following resources:
- Splunk Docs is Splunk user documentation.
- Splunk Education offers courses on-site, off-site, and on the Web.
- Splunk Lantern provides clear and actionable guidance for many use cases.
- Splunk Videos offer training and demos on a variety of topics.
About apps and add-ons
Apps and add-ons extend the power of Splunk products to help you get value from your data faster. To browse Splunk apps and add-ons, see Splunkbase. If you develop your own app, read Splunk Developer Guidance. For an example of a properly constructed app, see the Splunk Reference App.
Splunk Cloud Platform deployment types
This documentation applies to the following versions of Splunk Cloud Platform™: 8.1.2103, 8.2.2105, 8.2.2106, 8.2.2107, 8.2.2109, 8.2.2111, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209 (latest FedRAMP release)