Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Connectivity issues while onboarding the data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forwarding data from forwarder to indexer where there is no connectivity . what does this connectivity mean . And to solve that we are planning to use syslog along with Heavy forwarder at each network to index the data to Splunk cloud . Please suggest if its fesable and any one implemenet please help to get the flow.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not really clear on what is meant by "where there is no connectivity . what does this connectivity mean"
If your forwarder cannot connect to your indexers, it will not be able to send events to it.
Let me describe what we have configured, which I believe is similar:
On-prem systems send syslog to the syslog process on an on-prem HF
The syslog process on the HF writes the events log files.
The Splunk process on the HF monitors [monitor:///var/syslog/...] the syslog files
The HF then forwards the data to the indexing tier.
(We also use PCS clustering to provide HA syslog service, since Syslog is not very resilient).
The indexing tier can be in the cloud or on-prem, the heavy forwarders would just need connectivity to the indexers.
You can even send from multiple HFs -> Centralized HFs -> Cloud indexers if you want to reduce the openings to the cloud.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not really clear on what is meant by "where there is no connectivity . what does this connectivity mean"
If your forwarder cannot connect to your indexers, it will not be able to send events to it.
Let me describe what we have configured, which I believe is similar:
On-prem systems send syslog to the syslog process on an on-prem HF
The syslog process on the HF writes the events log files.
The Splunk process on the HF monitors [monitor:///var/syslog/...] the syslog files
The HF then forwards the data to the indexing tier.
(We also use PCS clustering to provide HA syslog service, since Syslog is not very resilient).
The indexing tier can be in the cloud or on-prem, the heavy forwarders would just need connectivity to the indexers.
You can even send from multiple HFs -> Centralized HFs -> Cloud indexers if you want to reduce the openings to the cloud.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
Data Management Digest – May 2026
