Extract information from an index by consuming the...

JoseLuisZM · ‎01-14-2025

Hi team

Is there a way to connect the splunk cloud platform with splunk on-prem, this to send a specific index to splunk on-prem?

Since the client does not allow modifications to the universal forwarder agents.

Regards

PickleRick · ‎01-14-2025

You can use the API to perform normal searches. Theoretically, you could retrieve indexed events and reingest them on the receiving side. But that is far far from convenient and can cause loads of problems.

JoseLuisZM · ‎01-14-2025

And if the client does not accept any type of configuration, is it possible to extract the information or events using Splunk's APIs?

isoutamo · ‎01-14-2025

I cannot see an option how this can do without any configuration on onprem side.

Usually clients approve some configuration changes if they really want this and when those options have explained to them.

isoutamo · ‎01-14-2025

If needed you could add suitable props.conf + transforms.conf on indexers or if you have intermediate HF before on prem indexers to do this. I said that better to have separate HFs before indexers and if possible use those only with those UFs which contains data for this index.

Currently you could also use federated search to search those events on SCP even those are stored in on prem.
Based on your use case you could chose between those options.

Extract information from an index by consuming the Rest API

administration

configuration

development

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform