<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic How to forward to Splunk cloud from AWS and on prem? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-forward-to-Splunk-cloud-from-AWS-and-on-prem/m-p/425513#M74579</link>
    <description>&lt;P&gt;Hi,&lt;/P&gt;
&lt;P&gt;Our setup is as follows:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Managed Splunk Cloud instance&lt;/LI&gt;
&lt;LI&gt;Heavy Forwader (on-prem)&lt;/LI&gt;
&lt;LI&gt;Syslog server (on-prem)&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Our on prem servers have universal forwarders on them and forwarder to the HF which then sends to splunk cloud.&lt;/P&gt;
&lt;P&gt;We are starting to spin up EC2 instances in AWS and want to do the same monitoring, so UF installed on the instance and forwarding to splunk cloud.&lt;/P&gt;
&lt;P&gt;My question is how do we do this?&lt;BR /&gt;It seems a bit daft to send our logs back to our on-premis HF to then send to the cloud.&lt;/P&gt;
&lt;P&gt;So should we create a HF in our AWS VPC and point all our ec2 instances towards that?&lt;/P&gt;
&lt;P&gt;How has everyone else tackled this issue?&lt;/P&gt;
&lt;P&gt;Cheers,&lt;BR /&gt;Fraser&lt;/P&gt;</description>
    <pubDate>Fri, 12 Aug 2022 14:59:02 GMT</pubDate>
    <dc:creator>FraserC1</dc:creator>
    <dc:date>2022-08-12T14:59:02Z</dc:date>
    <item>
      <title>How to forward to Splunk cloud from AWS and on prem?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-forward-to-Splunk-cloud-from-AWS-and-on-prem/m-p/425513#M74579</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;
&lt;P&gt;Our setup is as follows:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Managed Splunk Cloud instance&lt;/LI&gt;
&lt;LI&gt;Heavy Forwader (on-prem)&lt;/LI&gt;
&lt;LI&gt;Syslog server (on-prem)&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Our on prem servers have universal forwarders on them and forwarder to the HF which then sends to splunk cloud.&lt;/P&gt;
&lt;P&gt;We are starting to spin up EC2 instances in AWS and want to do the same monitoring, so UF installed on the instance and forwarding to splunk cloud.&lt;/P&gt;
&lt;P&gt;My question is how do we do this?&lt;BR /&gt;It seems a bit daft to send our logs back to our on-premis HF to then send to the cloud.&lt;/P&gt;
&lt;P&gt;So should we create a HF in our AWS VPC and point all our ec2 instances towards that?&lt;/P&gt;
&lt;P&gt;How has everyone else tackled this issue?&lt;/P&gt;
&lt;P&gt;Cheers,&lt;BR /&gt;Fraser&lt;/P&gt;</description>
      <pubDate>Fri, 12 Aug 2022 14:59:02 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-forward-to-Splunk-cloud-from-AWS-and-on-prem/m-p/425513#M74579</guid>
      <dc:creator>FraserC1</dc:creator>
      <dc:date>2022-08-12T14:59:02Z</dc:date>
    </item>
    <item>
      <title>Re: Forwarding to Splunk cloud from AWS and on prem</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-forward-to-Splunk-cloud-from-AWS-and-on-prem/m-p/425514#M74580</link>
      <description>&lt;P&gt;You should be able to set up a UF in AWS the same way you did for your on-prem HF.  If doesn't matter if it's UF or HF as the outputs.conf settings are the same.  You will, however, need to check your AWS security groups to make sure the UF is allowed to connect to Splunk Cloud.&lt;/P&gt;

&lt;P&gt;As an aside, are you sure you need the intermediate HF in your on-prem space?  It's a bottleneck, single point of failure, and impairs performance.&lt;/P&gt;</description>
      <pubDate>Fri, 02 Aug 2019 13:28:59 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-forward-to-Splunk-cloud-from-AWS-and-on-prem/m-p/425514#M74580</guid>
      <dc:creator>richgalloway</dc:creator>
      <dc:date>2019-08-02T13:28:59Z</dc:date>
    </item>
    <item>
      <title>Re: Forwarding to Splunk cloud from AWS and on prem</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-forward-to-Splunk-cloud-from-AWS-and-on-prem/m-p/425515#M74581</link>
      <description>&lt;P&gt;Okay I was thinking we can just use a UF instead.&lt;/P&gt;

&lt;P&gt;I agree about the bottleneck and single point of failure but we were told it is best practice to point towards an HF before sending to the cloud.&lt;BR /&gt;
It is also where all our SaaS add-ons are configured so we do need it in some capacity.&lt;/P&gt;</description>
      <pubDate>Fri, 02 Aug 2019 13:50:23 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-forward-to-Splunk-cloud-from-AWS-and-on-prem/m-p/425515#M74581</guid>
      <dc:creator>FraserC1</dc:creator>
      <dc:date>2019-08-02T13:50:23Z</dc:date>
    </item>
    <item>
      <title>Re: Forwarding to Splunk cloud from AWS and on prem</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-forward-to-Splunk-cloud-from-AWS-and-on-prem/m-p/425516#M74582</link>
      <description>&lt;P&gt;Hi @FraserC1 &lt;/P&gt;

&lt;P&gt;Option 1:&lt;BR /&gt;
If you want to use UF then you can directly send data to Splunk cloud but the UF will not parse the data as it will only forward the data to the Splunk cloud indexer and for that, you have to just put the config in outputs.conf of UF and in this case parsing and indxing will be done by Splunk cloud indexer.&lt;/P&gt;

&lt;P&gt;Option2:&lt;BR /&gt;
If you will use HF only then it will be a better option, As it will parse the data and will send it to Splunk cloud for indexing and in this case we don't have to use UF and need to put the same config in outputs.conf as per option1.&lt;/P&gt;</description>
      <pubDate>Tue, 13 Aug 2019 10:34:32 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-forward-to-Splunk-cloud-from-AWS-and-on-prem/m-p/425516#M74582</guid>
      <dc:creator>dhihoriya_splun</dc:creator>
      <dc:date>2019-08-13T10:34:32Z</dc:date>
    </item>
    <item>
      <title>Re: Forwarding to Splunk cloud from AWS and on prem</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-forward-to-Splunk-cloud-from-AWS-and-on-prem/m-p/609252#M105647</link>
      <description>&lt;P&gt;For Option # 1 "&amp;nbsp;&lt;SPAN&gt;If you want to use UF then you can directly send data to Splunk cloud&amp;nbsp;...",&amp;nbsp; what config exactly do we need to put in the outputs.conf of the UF to make it fwd to Cloud instance ?&amp;nbsp; &amp;nbsp; All&amp;nbsp; we have in the URL/hostname of the managed Search head instance&amp;nbsp; .&amp;nbsp; Are you saying we need to put this hostname in the outputs.conf and Splunk will do the rest and as in sending the data from SH to its indexer tier ?&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 12 Aug 2022 06:53:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-forward-to-Splunk-cloud-from-AWS-and-on-prem/m-p/609252#M105647</guid>
      <dc:creator>neerajs_81</dc:creator>
      <dc:date>2022-08-12T06:53:56Z</dc:date>
    </item>
    <item>
      <title>Re: Forwarding to Splunk cloud from AWS and on prem</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-forward-to-Splunk-cloud-from-AWS-and-on-prem/m-p/609253#M105648</link>
      <description>&lt;P&gt;&lt;SPAN&gt;For Option # 1 "&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN&gt;If you want to use UF then you can directly send data to Splunk cloud&amp;nbsp;...",&amp;nbsp; what config exactly do we need to put in the outputs.conf of the UF to make it fwd to Cloud instance ?&amp;nbsp; &amp;nbsp; All&amp;nbsp; we have in the URL/hostname of the managed Search head instance&amp;nbsp; .&amp;nbsp; Are you saying we need to put this hostname in the outputs.conf and Splunk will do the rest and as in sending the data from SH to its indexer tier ?&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 12 Aug 2022 06:55:10 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-forward-to-Splunk-cloud-from-AWS-and-on-prem/m-p/609253#M105648</guid>
      <dc:creator>neerajs_81</dc:creator>
      <dc:date>2022-08-12T06:55:10Z</dc:date>
    </item>
  </channel>
</rss>

