Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

Welcome to the Splunk Cloud Platform Admin Manual

This manual contains information to help you administer your Splunk Cloud Platform deployment.

Splunk Cloud Platform delivers the benefits of-winning Splunk® Enterprise as a cloud-based service. Using Splunk Cloud Platform, you gain the functionality of the Splunk Enterprise platform for collecting, searching, monitoring, reporting, and analyzing all of your real-time and historical machine data using a cloud service that is centrally and uniformly delivered by Splunk to its large number of cloud customers, from Fortune 100 companies to small and medium-size businesses. Splunk manages and updates the Splunk Cloud Platform service uniformly, so all customers of Splunk Cloud Platform receive the most current features and functionality.

If you're a new Splunk Cloud Platform administrator, or a Splunk Enterprise administrator planning a move to Splunk Cloud Platform, visit the Splunk Cloud Platform Migration section of the Splunk Lantern Resource Hub for helpful guidance from Splunk experts.

If you're interested in using Splunk Cloud Platform with Splunk Observability Cloud, see Splunk Observability Cloud and the Splunk platform.

Splunk Cloud Platform features

Splunk Cloud Platform is available in multiple regions. For details please refer to the Splunk Cloud Platform Service Description. The following table lists major features of Splunk Cloud Platform.

Feature Description
Data Collection You can send data to Splunk Cloud Platform as follows:

Using Splunk forwarders: There are two types of forwarder software: universal forwarder and heavy forwarder. In most situations, the universal forwarder is the best forwarder for Splunk Cloud Platform since it includes the essential components that it needs to forward data, uses significantly fewer hardware resources and is inherently scalable. For certain use cases when data needs to be parsed prior to forwarding or data needs to be forwarded based on criteria such as source or type of event, a heavy forwarder is required.

Using HTTP Event Collector (HEC): HEC lets you send data and application events using a token-based authentication mode to Splunk Cloud Platform over the Secure HTTP (HTTPS) protocol. You can generate a token and then configure a logging library or HTTPS client with the token to send data to HEC in a specific format.

Using AWS Kinesis Data Firehose: AWS Kinesis Data Firehose is a fully managed, scalable, and serverless option for streaming data from various AWS services directly into Splunk Cloud Platform.


Ingestion Splunk Cloud Platform indexes incoming data so you can search it. During indexing, data is partitioned into logical indexes, which you can configure to facilitate searching and control users' access to data in specific indexes.
Inputs Data Manager The Inputs Data Manager (IDM) is a hosted solution for Splunk Cloud Platform that supports scripted and modular inputs for customers on the Classic Experience. To use scripted or modular inputs, you must package them in a private app and request that Support uploads the app to your IDM. The app must be vetted like any other private app.

The IDM is not a one-to-one replacement for a heavy forwarder. You must still use a heavy forwarder if you need to perform parsing or activities other than standard scripted and modular data inputs. As a best practice, cloud-based add-ons should be installed on an IDM, and on-premise-based add-ons should be installed on a forwarder or heavy forwarder.

If the add-on is tightly integrated with an Enterprise Security search head, you should not use the IDM.

For more information on using the IDM with the Classic Experience, see Work with Inputs Data Manager.

For more information about the Splunk Cloud Platform Classic and Victoria Experiences, see the following:

Retention When you send data to Splunk Cloud Platform, it is stored in indexes and you can self-manage your Splunk Cloud Platform indexes settings using the Indexes page in Splunk Web. Splunk Cloud Platform retains data based on index settings that enable you to specify when data is to be deleted. To configure different data retention settings for different sources of data, store the data in separate indexes according to the desired retention policy. You can configure different data retention policies for individual indexes according to your auditing and compliance requirements. Each index allows you to specify the maximum age of events in the index (specified in the Retention (days) field) on the Indexes page uses to determine when to delete data. When the index reaches the specified maximum age, the oldest data is deleted.
Search Splunk Cloud Platform allows you to search and navigate all of the machine data that you ingest into the service. Searches can be done using the Splunk Search Processing Language (SPL), or using alternative ways to display and analyze data graphically without composing SPL queries. Searches can be ad-hoc and scheduled, with results in the form of visualizations, reports, and alerts.
Reports Reports are saved searches and pivots. You can run reports on an ad hoc basis, schedule them to run on a regular interval, or set scheduled reports to generate alerts when the results of their runs meet particular conditions. You can add reports to dashboards as dashboard panels. (More information)
Dashboards Dashboards are made up of panels that contain modules such as search boxes, fields, charts, tables, forms, and so on. Dashboard panels are usually hooked up to saved searches or pivots. They can display the results of completed searches as well as data from backgrounded real-time searches. (More information)
Administration You can use Splunk Cloud Platform to perform the following administrative tasks:

In Splunk Cloud Platform, you usually use Splunk Web to perform administrative tasks. Unlike Splunk Enterprise, you do not have access to the command line or file system of your Splunk Cloud Platform deployment, so you cannot use CLI commands or manually edit .conf files. If there is a task that you need to perform, but cannot do so from the Splunk Web interface, you can file a ticket using the Support Portal.

REST API access Some administrative tasks can be done using the Splunk REST API. Splunk Cloud Platform supports a subset of the REST API endpoints available in Splunk Enterprise. For more information on supported REST endpoints, see the REST API Reference Manual. To use the REST API, you must have a paid subscription to Splunk Cloud Platform.

To enable the Splunk REST API and SDKs:

  1. Submit a support case on the Support Portal to request access. You can specify a range of IP addresses to control who can access the REST API.
  2. After you have gained access, use the following URL: https://<deployment-name>.splunkcloud.com:8089

Supported browsers

Splunk Cloud Platform supports the following browsers:

  • Chrome (latest)
  • Firefox (latest)
  • Safari (latest)
  • Microsoft Edge (latest)

Use IPv6 support with dual-stack configuration

Splunk Forwarder now supports IPv6 as a dual-stack IPv4/IPv6 configuration as an Early Access feature. If you are using dual-stack IPv6 support in your configuration, your Splunk Support engineer can help you configure Splunk Cloud Platform to use IPv6. See Use dual-stack IPv6 support for more information.

Note that during Early Access releases, Splunk products may have limitations on customer access, features, maturity, and regional availability. For additional information on Early Access please contact your Splunk representative.

Third Party Documentation

As a convenience, this document includes instructions for using non-Splunk software to get data from varying platforms into Splunk Cloud Platform. Splunk does not warrant the performance of non-Splunk software based on the instructions in this documentation. Please review the product documentation provided by the other software providers before following these instructions. The screenshots and instructions in this documentation are updated on a best-effort basis.

Splunk Technical Support

Splunk Standard Support is included in every Splunk Cloud Platform subscription. For details about the levels of technical support provided, read Support Programs. Only authorized support contacts from your company can open cases. Your Splunk support agreement specifies who your authorized contacts are. Your Support contract specifies a number of authorized contacts, and an expiration date. One of your contacts is a Support portal administrator, who can update the list. Only an authorized contact can open a case and track its status. An authorized contact can file a case in one of two ways:

  • Log in to splunk.com and navigate to the Support Portal.
  • In Splunk Cloud Platform, click About and select File a Bug.

Splunk Support portal

Splunk Cloud Platform users who are registered with Splunk Support as a Splunk Cloud entitlement contact for their account can manage operational contacts for their account and file support cases using the Support portal. Operational contacts are the people in your organization who are notified when their Splunk Cloud Platform environment undergoes maintenance or experiences an event that affects performance.

For more information on working with Splunk Support and understanding the difference between entitlement and operational contacts, visit the Splunk website and log into the Support Portal.

To manage operational contacts:

  1. Go to My Operational Contacts in the Support Portal.
  2. Follow the instructions on the page to add, edit, and remove operational contacts for your Splunk Cloud Platform environment.

To file a case on the Support Portal:

  1. In the Support portal select Get started and then Create Case.
  2. Follow the process to open a support case for the Splunk Cloud product.

Splunk Support replies to the case creator by email. You can update the case by replying to the email (be sure to keep the tracking ID in the email subject line). You can also update the case, check on its status, or close a case using the Support Portal.

Splunk community

The Splunk user community is a great resource. Check out Splunk Answers, where you can ask and answer questions about the product. There are also a number of other ways to get involved in the Splunk community, such as user groups or the Splunk Trust. For more information about getting involved with the Splunk community, see the Community portal.

Learn more about Splunk products

For detailed information about the Splunk platform, see the following resources:

About apps and add-ons

Apps and add-ons extend the power of Splunk products to help you get value from your data faster. To browse Splunk apps and add-ons, see Splunkbase. If you develop your own app, read Splunk Developer Guidance. For an example of a properly constructed app, see the Splunk Reference App.

Last modified on 26 September, 2024
  Splunk Cloud Platform deployment types

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters