- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

You have less options on the Splunk Cloud search-head to send data :
So you have to switch to forwarders to retrieve the data then forward to the splunk cloud indexers.
The main reason is that you are sending your data over internet, so YOU WANT ENCRYPTION.
Recommended method : Use a forwarder
- Setup a forwarder on your server (Universal, or lightweight, or heavyweight or indexer), to collect the events.
- Configure the forwarder to send the data to the splunk cloud deployment, using the forwarder credential app provided. The forwarder package is in the welcome email, or downloadable on the search app in the "Universal Forwarder" app page. http://docs.splunk.com/Documentation/SplunkCloud/latest/User/GetstartedwithSplunkCloud
The inputs that you can setup on the forwarder can be anything :
- splunktcp or splunktcp-ssl from other forwarders
- monitoring local files, or monitors on windows logs
- scripts ( beware the Universal forwarder does not have python)
- network inputs : TCP / UDP
- API inputs
- Any apps collecting logs : dbconnect (with dbmon-dump, or dbmon-tail), AWS app , etc...
Remarks :
- The advantage is that the forwarder is in your network, so you have full control, and can use a deployment-server to manage them.
- If you want to parse and filter your events, you can use a heavy forwarder.
- if you have components apps to parse the events at indextime , make sure to request the proper apps to be deployed on the cloud indexers.
As an alternative the only inputs on the cloud search-head are
- upload a file (up to 100Mb)
- apps doing remote queries (dbconnect), it requires ports to be open (reach support)
- API inputs if the api port has been open (reach support)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

You have less options on the Splunk Cloud search-head to send data :
So you have to switch to forwarders to retrieve the data then forward to the splunk cloud indexers.
The main reason is that you are sending your data over internet, so YOU WANT ENCRYPTION.
Recommended method : Use a forwarder
- Setup a forwarder on your server (Universal, or lightweight, or heavyweight or indexer), to collect the events.
- Configure the forwarder to send the data to the splunk cloud deployment, using the forwarder credential app provided. The forwarder package is in the welcome email, or downloadable on the search app in the "Universal Forwarder" app page. http://docs.splunk.com/Documentation/SplunkCloud/latest/User/GetstartedwithSplunkCloud
The inputs that you can setup on the forwarder can be anything :
- splunktcp or splunktcp-ssl from other forwarders
- monitoring local files, or monitors on windows logs
- scripts ( beware the Universal forwarder does not have python)
- network inputs : TCP / UDP
- API inputs
- Any apps collecting logs : dbconnect (with dbmon-dump, or dbmon-tail), AWS app , etc...
Remarks :
- The advantage is that the forwarder is in your network, so you have full control, and can use a deployment-server to manage them.
- If you want to parse and filter your events, you can use a heavy forwarder.
- if you have components apps to parse the events at indextime , make sure to request the proper apps to be deployed on the cloud indexers.
As an alternative the only inputs on the cloud search-head are
- upload a file (up to 100Mb)
- apps doing remote queries (dbconnect), it requires ports to be open (reach support)
- API inputs if the api port has been open (reach support)
