Re: Splunk Hybrid Cloud Architecture

Glasses2

Hello,

I am scoping out a cloud migration from a distributed on-prem Splunk Enterprise deployment to a Hybrid Splunk Cloud deployment.

I estimate approximately 1000+ UFs will be sending to the Cloud indexers. I assume I will need a on-prem (self-managed) Deployment Server at a minimum. Any other suggested hosts needed?

Currently, I have Cribl Stream receiving syslog and sending Http Events to the HEC receivers on my Indexer Cluster. I am planning to switch over to Edge Processor for syslog, and send directly to the Cloud indexers. And I plan to deploy a host for each Edge Processor node located near the data source. Is this problematic?

All my Add-ons/Apps are Cloud ready. I am planning to use a HF for a few scripted inputs (from custom apps that collect data).

Am I missing any other necessary on-prem / self-managed hosts?
Is Edge Processor a bad choice to collect syslog? I am hearing SC4S is superior, however the last time I used it, there was no support. Cribl stream is working fine, wondering if Edge processor will perform the same?

All advise appreciated. I have been reaching out to my sales rep for a meeting with the Splunk Cloud Engineers for advice, but not receiving any definitive answers.

Please advise.

livehybrid

Hi @Glasses2

For syslog I would recommend reading through https://help.splunk.com/en/splunk-enterprise/splunk-validated-architectures/getting-data-in-forwardi... if you havent already seen it - this lists out the supported architectures (the SVA pdf was last updated in 2021, this page was last updated in Feb 2026).

As you will see, Edge Processor is supported for syslog, along with SC4S however there are pros/cons of each configuration/architecture and it ultimately depends on your environment, scale, capabilities etc as to which would be most suited to your environment.

For your forwarders, a DS would be suitable to allow you to make changes to your UF easily. Depending on how many HF you plan to have you might want a License Manager also, althought it sounds like you dont need many HF?

Each non-UF instance onpremise will need a license to enable all features. There is a free 0-byte license available at https://splunk.my.site.com/customer/s/article/0-byte-license-for-Deployment-Server-or-Heavy-Forwarde... which you can use for your DS/HF.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

kknairr

@Glasses2 I would also plan similarly in your scenario, on the Edge processor nodes, you can position them close to the data sources for enrichment and routing. This is acceptable, but generally for high-volume syslog ingestion, Splunk Connect for Syslog (SC4S) remains the recommended solution. Overall, UFs feeding Cloud indexers, DS for management, EP or SC4S for syslog, and HFs only where necessary. I would highly recommend you refer Splunk’s Validated Architecture documentation for definitive sizing and placement. Hope it helps.

Ref: Splunk Validated Architectures

>>

If this post addressed your question, you can:

Give it karma to show appreciation 👍
Mark it as the solution if it solved your issue ✔️
Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

Glasses2

@kknairr
Is there a specific hybrid cloud design in that doc, I am not finding it?

Glasses2

Another concern I have is the cutover.

Is it possible to configure the on-prem shc to search both the local on-prem indexed data as well as the new Splunk Cloud indexed data?

And is it possible to configure the Splunk Cloud SHC to search the cloud data and on-prem?

I was told you could do that with "transparent mode", if not is there a work-around?

richgalloway

It looks like you researched it well. I like your plan.

Yes, you will need an on-prem DS to manage your UFs unless you have a separate tool (like Ansible) for that.

Replacing Cribl with Edge Processor is worth looking into as it may save you some money. EP cannot yet do everything Cribl can, however. I agree with putting EP nodes close to the data sources.

I have not used EP for syslog so I can't comment on that. I found SC4S to be a good syslog solution, but it's been a few years since I've used it.

---
If this reply helps you, Karma would be appreciated.

isoutamo

As said this seems to be a good plan.

I have one comment. If you have working Cribl configuration for syslog, personally I don’t switch to EP! You need to remember that EP hasn’t have any useAck type configuration. Then it hasn’t have (yet) any mechanism to stop receiving events when its queues is going to full. This means that it start to drop events to get room for new ones. So you will lost events!

PickleRick

The useACK remark actually doesn't make much sense in syslog context. You can't stop the source on the receiver's side. Especially with UDP. But even with TCP sources rarely queue anything. They usually just send or not depending whether there is connectivity and then forget about the event entirely. (with some notable exceptions like Checkpoint's Log Exporter).

Splunk Hybrid Cloud Architecture

administration

other

using Splunk Cloud

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation