Getting Data In

What are the steps of ingesting data into Splunk cloud?


Can someone walk me through the steps of ingesting data into splunk cloud. I have read the documentation but it gets confusing.

Labels (1)
0 Karma


It totally depends on the log source you are dealing with.

Windows/Linux: Install UF, add Splunk Cloud Credential File. Edit input.conf file if you want to change the Index.

Firewall Logs: If you have a Syslog server in place, install a UF on it and redirect the logs from the Syslog folder to it. If you do not have a Syslog server, you can use a Heavy Forwarder configured as a Syslog Receiver.

Cloud-Based:  Check for supported apps. Most of them support API based integration, which is easy to do. Each app includes the steps to follow.

Let me know if you have any specific devices in question. I am no expert, but will definitely try to help you out.


0 Karma

Path Finder

Each data source is different, but I noticed you tagged this for Windows so I'll post this guide:

Essentially you login to the Splunk Cloud Search Head, download the Universal Forwarder app and you distribute that app to the /opt/splunkforwarder/etc/apps/ directory of the machines you want to send data to the Cloud.

Depending on your needs and network architecture, it could get more complicated, but that is the simple version.

So each Windows Server would need a Splunk UF (Universal Forwarder) and the Spunk Cloud UF app/ta/add-on (TA stands for Technical Add-on) to be able to send and collect data.

Each data source also needs a configuration telling it what data to collect.
This is often achieved by using a Splunk TA aka add-on on Splunkbase:

You can download the Splunk UF here:

For larger environments, the UF and required addons are usually distributed via a Splunk Deployment Server.
Also, often data is sent through one or more Forwarders before Cloud to minimize firewall rules, or depending on your network architecture needs.

All data sources need to be able to send data via tcp/9997 to Splunk Cloud.

So the breakdown of steps is:

  1. Create an index on Splunk Cloud to receive your data
  2. Download the Cloud TA (called Cloud Universal Forwarder) from Splunk Cloud Search Head
  3. Install a UF and the Cloud TA onto your data source
    1. The Cloud TA needs to be untar'd to /opt/splunkforwarder/etc/apps/
    2. Or it can be distributed via Splunk Deployment Server
  4. Install one or more add-ons aka TAs to /opt/splunkforwarder/etc/apps/
  5. Configure and enable one or more 'inputs' or data to send by editing the inputs.conf within each TA/add-on
    1. There is usually a template inputs.conf in the default folder of each add-on.
    2. Create a /local folder (same level as /default) in each TA and copy that inputs.conf in there
    3. Edit it and enable one or more inputs to send data to Splunk

There actually is an 'outputs.conf' but the Splunk Cloud TA/UF handles that to securely send to Splunk Cloud.



Given there is a fair amount of documentation on the topic, it's not reasonable to expect full coverage of it here.  Specific questions are more likely to get helpful answers.

There are many ways to get data into Splunk Cloud and which one to use will depend on the data source, your Splunk Cloud "experience",  and other factors.  Tell us more about what data want to ingest and we should be able to offer some tips on how to do it.

If this reply helps you, Karma would be appreciated.



windows logs

0 Karma


With windows you typically set up a Universal Forwarder on monitored machine(s), define inputs for the event logs you want to pull, point your output to your cloud instance and that's pretty much it.

With the "network/firewall" whatever that means it can be more complicated. I assume that you'll be getting events from those devices by meand of syslog. So you need something to listen for syslog events and write them to splunk. Might be a simple Universal Forwarder (but using raw tcp/udp inputs on UF in production environment is not a best idea), might be SC4S instance, might be rsyslog or whatever you want. There are many different ways to handle syslog.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...