Splunk Cloud

FAQ for Splunk Cloud

Download manual as PDF

Download topic as PDF


Thank you for your interest in Splunk Cloud. To help you understand this valuable managed cloud service, Splunk has prepared a short description of the service at http://docs.splunk.com/Documentation/SplunkCloud/latest/Service/SplunkCloudservice, as well as the following FAQ,

General Splunk Cloud FAQ

Question Answer
What is Splunk Cloud? Splunk Cloud delivers the benefits of award-winning Splunk® Enterprise, as a cloud-based service. Using Splunk Cloud, you gain the functionality of the Splunk Enterprise platform for collecting, searching, monitoring, reporting and analyzing all of your real-time and historical machine data via a cloud service centrally and uniformly delivered by Splunk to its large number of cloud customers, from Fortune 100 companies to small and medium size businesses. Splunk manages and updates the Splunk Cloud service uniformly, so all customers of Splunk Cloud receive the most current features and functionality.
What are the terms of service (TOS) for Splunk Cloud? You can view the terms of service within Splunk Cloud when you first log in. You can also read the terms of service here.
What is Splunk Cloud's pricing? Splunk Cloud pricing is based on the volume of uncompressed data that the customer wants to index on a daily basis. Customers can optionally add subscriptions for additional storage capacity to store more data, encryption service to maintain privacy of data at rest, and the additional functionality of Splunk premium solutions such as Enterprise Security and IT Service Intelligence.
What is Splunk's Service Level Agreement? Splunk provides an uptime SLA for Splunk Cloud. Customers receive service credits in the event of SLA failures, as set forth in our current SLA schedule. As Splunk Cloud is offered uniformly across all customers, the SLA cannot be modified on a customer by customer basis. More SLA schedule details can be found here.
In which AWS zones is Splunk Cloud available? Splunk Cloud is available in the following Amazon Web Services (AWS) regions: US (Virginia, Oregon, GovCloud), EU (Dublin, Frankfurt, London), Asia Pacific (Singapore, Sydney, Tokyo) and Canada (Central). For details, contact your sales representative or email sales@splunk.com before purchasing.
How is Splunk Cloud different from Splunk Enterprise software? Splunk Cloud delivers the features of Splunk Enterprises software as a standardized, cloud-based service. Splunk manages the Splunk Cloud service. When customers purchase a license to on-premise Splunk Enterprise software, customers install the product in their own datacenters or on public or private clouds, taking responsibility for infrastructure and administration. Customers who are familiar with Splunk Enterprise architecture should not make assumptions about the architecture or operational aspects of Splunk software deployed in the Splunk Cloud service. For details, go here.
Can Splunk premium solutions and Splunk apps be added to Splunk Cloud? Yes. Subscriptions for Splunk premium solutions such as Enterprise Security and IT Service Intelligence, and for apps such as Splunk App for VMware and Splunk App for Microsoft Exchange can optionally be added to Splunk Cloud. Contact your Splunk sales representative or email sales@splunk.com for more details.
Can I send data to Splunk Cloud using a Splunk forwarder? Yes. Use the Universal Forwarder app available in Splunk Cloud. The Universal Forwarder app includes the information and authentication credentials needed to install Splunk forwarder software on your network and send data to Splunk Cloud. After you sign in to Splunk Cloud, choose Universal Forwarder from the Apps menu and follow the Universal Forwarder app instructions.
Can I use the REST API, HTTP Event Collector (HEC), and SDKs with Splunk Cloud? You can use the REST API, HEC, and SDKs with Splunk Cloud. For more information about using HTTP Event Collector with Splunk Cloud, see http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/AboutHEC.

Splunk Cloud Security and Privacy FAQ

Question Answer
How does Splunk protect customer data? Splunk understands that the security and privacy of your data is of the utmost importance to you and your organization, and Splunk makes this a top priority. Splunk Cloud is designed and delivered using key security controls such as instance security, data isolation, data encryption, user authentication (integrated with single sign-on solutions including two factor authentication), and other data handling controls, such as access controls, auditability, and assurance of data integrity.
  • Encryption. Splunk Cloud uses industry standard SSL encryption for all data in transit. Each forwarder and user session is secured in this manner with no exceptions. Splunk Cloud offers encryption for data at rest (for an additional fee) using AES 256-bit encryption. Splunk Cloud customers work with Splunk Cloud Support to manage their encryption keys. Keys are rotated on a routine basis and are under continuous monitoring.
  • Controls. Splunk uses security controls described in Splunk's most recent Service Organization Control II Type II Report (SOC 2 Type 2 Report). You may obtain a copy of Splunk's most recent SOC 2 Type 2 Report upon request subject to Splunk's standard NDA.
  • Compliance attestations. Splunk has attained a number of compliance attestations/certifications to provide customers with independent third-party validation of our efforts to safeguard customer data. Splunk has contracted with industry-leading auditors as part of our commitment to adhere to industry standards worldwide. Working together with our audit partners, SOC 2 Type 2 attestation and ISO 27001 certification are available for Splunk Cloud customer environments.
  • Data Privacy – Transfers of Personal Data. Splunk is certified to the EU-U.S. Privacy Shield Framework with the U.S. Department of Commerce to help ensure that our customers transfer of personal data from Europe to the U.S. meets the requirements of EU data protection law. Splunk's certification can be found here.
  • Background screening. Splunk conducts criminal background checks on all employees prior to hire, to the extent allowed under applicable law, as further described in Splunk's SOC 2 Type 2 Report.
Can I attach my own security terms to the Terms of Service? No. Splunk provides the Splunk Cloud service uniformly for all customers. As a service provided to a large number of customers, the security measures and controls that Splunk implements are the same for every customer, and Splunk cannot implement different controls for any one customer. Splunk is transparent with its security controls, and each Splunk Cloud customer must review these controls and make its own determination regarding the adequacy of the controls for their particular needs.
When does Splunk delete data? Customer data retention in Splunk Cloud is based on the specific data retention volumes and periods purchased by a customer, as well as the retention settings selected by a customer. If you enable Dynamic Data Self-Storage to export of your ingested data, the oldest data is moved to your AWS S3 account in the same region as your Splunk Cloud before it is deleted from the index. Aside from the deletion that occurs in accordance with a customer's purchased data retention volume and specified retention settings, Splunk will specifically delete a customer's data 31 days after the end of the customer's subscription period. Once data is deleted, or 31 days after the end of a customer subscription, the data can no longer be recovered.. For details, go here and here.
How does Splunk store and retain customer data? Data retention is based on the parameters that customer purchases and selects for Splunk Cloud. Customers can tailor retention options (for additional fees) for any duration required. Customers are solely responsible for archiving their data by exporting the data to a customer-owned AWS S3 account.
How do I add more storage to allow higher indexing volume and longer data retention duration? To increase the storage available in your Splunk Cloud environment, please contact your Splunk sales representative or email sales@splunk.com.
How do I delete data stored in my Splunk deployment? Splunk Cloud administrators can delete indexes and the data that they contain. (See

Remove indexes and indexed data for details.) An administrative user with the can_delete role can hide data without deleting it from an index. To hide data, search for the data, then pipe it to the delete command:

<your search> | delete

The delete command is irreversible. If you want to access the hidden data after using the delete command, you must re-index the applicable data sources.

How do I retrieve my data if I stop using Splunk Cloud? Prior to termination of a Splunk Cloud subscription, you can enable Dynamic Data Self-Storage to export your aged data to your Amazon S3 account in the same region. Note that self-service export is not available for your configuration data. If you choose to use Dynamic Data Self-Storage to export your aged ingested data, you must do so prior to termination of your subscription. You are responsible for AWS charges you incur for your use of Amazon S3. Splunk will delete your data remaining in Splunk Cloud thirty-one (31) days after the end of your subscription period.

Splunk Cloud Compliance FAQ

Question Answer
How can Splunk Cloud address my long term data retention requirements? Splunk Cloud accommodates customers who have long term data retention requirements. You can purchase additional storage in Splunk Cloud to store more data. Alternatively, you can export your data out of Splunk Cloud and into your own AWS S3 account.
What are the terms of Limitation of Liability? Splunk offers market standard terms for limitation of liability in its Terms of Service. The limitation of liability is mutual, allows both parties to disclaim any consequential and incidental damages, and caps the liability of both parties to an amount that is commensurate with the value of your subscription. This approach is an integral part of our cloud offering that enables us to provide Splunk Cloud at favorable prices.
Will Splunk review my SaaS agreement? Splunk Cloud is a uniform service provided under the same terms to all customers, Splunk's cloud operations team, support team, and other Splunk resources provide the services in accordance with Splunk policies and procedures, and Splunk is not able to adjust its services specifically for any one customer. Splunk's Terms of Service is carefully and specifically drafted and structured to reflect the manner that Splunk offers its service. Therefore, Splunk can only offer Splunk Cloud under its Terms of Service. It cannot accommodate any customer SaaS agreement.
Can I audit Splunk Cloud? Splunk does not permit customers to audit Splunk Cloud operations or facilities. This is due to Splunk's confidentiality commitments and obligations to its other customers, as well as Splunk's inability to provide access to AWS facilities. However, Splunk contracts with independent third parties to annually audit Splunk Cloud's compliance with its security attestations (e.g., SOC2, ISO 27001,etc.).
Does Splunk allow for acceptance testing? Splunk does not allow for acceptance testing. Splunk recommends that you select a free trial if you require functionality or capacity verification before purchasing a subscription.
How does Splunk ensure data and service durability? For the purpose of data and service durability, Splunk Cloud backs up customer configurations and replicates recent data on a rolling seven-day window. Configuration data is backed up daily on a rolling seven-day window. Splunk Cloud replicates ingested data and stores three copies of the ingested data on disk. Splunk Cloud also operates across multiple AWS Availability Zones (AZ), which provides redundancy in the event of an AZ failure. You can optionally choose to export data from Splunk Cloud to your own Amazon S3 account for compliance and archiving purposes.
I am required to have my SaaS services running in GovCloud. Can I use Splunk Cloud? Yes. To purchase a GovCloud version of Splunk Cloud, please contact your Splunk sales representative or email sales@splunk.com.
I have to a requirement to have my data maintained in a regulated HIPAA or PCI DSS cloud environment to assist me with meeting compliance needs. Can I use Splunk Cloud? Yes. To purchase a HIPAA or PCI DSS version of Splunk Cloud, please contact your Splunk sales representative or email sales@splunk.com.

Splunk Maintenance and Support FAQ

Question Answer
What can Splunk support help me with? Contact Splunk support by submitting a case on the Support Portal to:
  • report an inability to login, ingest data, access Splunk Web or perform searches
  • unlock your instance due to license violations
  • enable real-time search or AWS Kinesis Data Firehose data to be received
  • schedule Splunk Cloud upgrades
How do I open or close a Splunk support case? Submit a case on the Support Portal.
Which release will be installed in my Splunk Cloud environment? Splunk Cloud adopts the release that has the most benefits for Splunk Cloud customers as quickly as possible. You are notified as soon as possible when the latest release is available for your Splunk Cloud. Notifications are sent through the Splunk Support organization to the contacts listed in your profile.
Can I decline an upgrade to the latest release? No. As a cloud service it is very important to maintain all subscribers on the most current release. This provides you the best features and most recent product enhancements.
Is there flexibility on the timing of an upgrade? Yes. When you are notified of a pending upgrade, you can request a delay or request a specific day or time to accommodate seasonal peaks in activity or other corporate requirements. Splunk makes a best effort to accommodate individual upgrade requests, but does not guarantee that each request can be honored. For more information about the Splunk Cloud Maintenance Policy, please refer to https://www.splunk.com/en_us/legal/splunk-cloud-service-maintenance-policy.html
How do I check the availability of my Splunk Cloud account? Splunk continuously monitors the status of each Splunk Cloud customer environment. In addition, you can track daily usage using the Monitoring Console. For more details, go here.
How do I configure SMTP so I can email a report? Splunk Cloud gives you the option to send outbound email by default.

Splunk Cloud Free Trial FAQ

Question Answer
What is the Splunk Cloud Free Trial? The Splunk Cloud Free Trial lets you try Splunk Cloud for 15 days so you can search, analyze, and visualize your own data or pre-populated data sets.
How do I get a Splunk Cloud Free Trial? Request a free trial on the Splunk Cloud Free Trial page.
Do I need to set up a Splunk.com account to use the Splunk Cloud Free Trial? Yes. You can create a Splunk.com account on the Splunk Cloud Free Trial page.
How many Splunk Cloud Free Trials can I try? You may try up to three, 15-day trials per account.
What is the Splunk Tour app in the Splunk Cloud Free Trial? The Splunk Tour app is a tutorial designed to help you use the search functionality and create reports. It uses a data generator, so you do not need to add your own data to start using this app.
Can I send my own data to the Splunk Cloud Free Trial? Yes. You may upload your own data to your Splunk Cloud Free Trial. The maximum upload limit for a single file is 500MB. You must have the rights, licenses, and authorization to any data that you upload. Do not include any type of legally-protected data or data that is meant for internal use only. If you do not want to add new data, you can use the sample data found in the "_demo" index.
Is my data encrypted when using Splunk Cloud Free Trial? When using Splunk Cloud Free Trial, your data is encrypted by default. If you transition to a paid plan up to 20GB, encryption is included in the standard configuration.
What is the indexing volume limit for my Splunk Cloud Free Trial? The maximum indexing volume is 5GB per day with a maximum of 55GB data retention. After your Splunk Cloud Free Trial reaches 55GB of data, if you continue to index new data, the oldest data in the trial instance is deleted. It never contains more than 55GB.
How do I search for the sample data in my Splunk Cloud Free Trial? You can use the sample data found in the "_demo" index. To search for the sample data, include the specifier index=_demo in your search string.
If I am using my Splunk.com user login to access my instance, how do I invite a collaborator? To invite a user, go to the Instance Page in the Customer Portal and click the "Add User" button.
If I am using my Splunk.com user login to access my instance, how do I assign a role? To assign a role to a new user, go to the Instance Page in the Customer Portal and assign the role by typing the role name into the role field.
If I am using my Splunk.com user login to access my instance, how do I create a custom role? For information on creating custom roles, see Manage Splunk Cloud users and roles in the Splunk Cloud User Manual.
How do I get help with my Splunk Cloud Free Trial? The Splunk Cloud Free Trial has community-level support. If you experience issues with your Splunk Cloud Free Trial, complete the form here. Alternatively, you can search or post your questions to Splunk Answers.
What happens to my data when the Splunk Cloud Free Trial expires after 15 days? When your Splunk Cloud Free Trial expires, the instance is deleted along with the data. You can, however, transition from the free trial to a paid account at any time prior to the expiration date by clicking on the "Upgrade" link from your Instance Page on the Customer Portal.
Can I automatically transition from the Splunk Cloud Free Trial to a paid account at any time during the trial? Yes. To continue using your Splunk Cloud instance, you can upgrade your instance up to 20GB daily indexing volume by clicking on the "Upgrade" link from the Instance Page in the Customer Portal. To purchase a larger plan, please email sales@splunk.com.
Is my self-service Splunk Cloud SOC 2 and ISO 27001 compliant? Self-service Splunk Cloud will no longer be SOC 2 and ISO 27001 compliant as of December 14, 2018.
Last modified on 29 January, 2020

This documentation applies to the following versions of Splunk Cloud: 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2001

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters