In a typical splunk cloud environment do logs get forwarded from onprem directly to the cloud indexer or is best practice to have some type of collector such as a heavy forwarder onprem which will collect and forward to the cloud indexer?
Best Practice is to forward events directly to Splunk Cloud. Intermediate forwarders can become a choke point, add a point of failure, add complexity, and are more to manage.
Best Practice is to forward events directly to Splunk Cloud. Intermediate forwarders can become a choke point, add a point of failure, add complexity, and are more to manage.
Richgalloway,
Can you think of a use case (or is it even possible) for splunk cloud to query a heavy forwarder that is onprem?
Forwards (universal or heavy) are never queried. It's possible to send REST requests to a forwarder, but it's a good practice to disable the management port on forwarders to reduce the attack surface.
makes sense now. thanks rich galloway