Extract information from an index by consuming the...

JoseLuisZM

Hi team

Is there a way to connect the splunk cloud platform with splunk on-prem, this to send a specific index to splunk on-prem?

Since the client does not allow modifications to the universal forwarder agents.

Regards

PickleRick

You can use the API to perform normal searches. Theoretically, you could retrieve indexed events and reingest them on the receiving side. But that is far far from convenient and can cause loads of problems.

JoseLuisZM

And if the client does not accept any type of configuration, is it possible to extract the information or events using Splunk's APIs?

isoutamo

I cannot see an option how this can do without any configuration on onprem side.

Usually clients approve some configuration changes if they really want this and when those options have explained to them.

isoutamo

If needed you could add suitable props.conf + transforms.conf on indexers or if you have intermediate HF before on prem indexers to do this. I said that better to have separate HFs before indexers and if possible use those only with those UFs which contains data for this index.

Currently you could also use federated search to search those events on SCP even those are stored in on prem.
Based on your use case you could chose between those options.

Extract information from an index by consuming the Rest API

administration

configuration

development

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector