Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

We want to migrate the App and addon data to splunk cloud from onprem.

Hemant_h
Engager
‎04-09-2025 12:49 AM

HI Team,
what would be best way to send logs of apps and addon installed on onprem HF and sh to cloud enviroment.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-09-2025 12:52 PM

If you don’t need to send those into onprem too then just add SCP uf package to those and all logs will sent to SCP only.

If you are needing those on both env then you must add that UF and addition transforms or inputs.conf where you are defining which logs goes to SCP and which to onprem and which one to both. But remember that sending those to both means double license usage.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-09-2025 02:04 AM

Hi @Hemant_h 

The SH should be relatively simple, if you want to send the data from your SH to Cloud then you will just need to install the Universal Forwarder app which you can download from your Splunk Cloud instance onto the SH. However if the SH is already sending it's internal logs elsewhere (e.g. internal Indexers) then this change will likely overwrite this setup, you will need to update your outputs.conf to set the [tcpout]/defaultGroup value to a comma delimited list of your existing output group and the new Splunk Cloud output group.

The same likely applies to your HF - is your HF not currently sending to Splunk Cloud? If it sends elsewhere and you need to maintain this then you will also need to apply the changes to defaultGroup in addition to installing the forwarder app from your Splunk Cloud environment.

For more info check out https://docs.splunk.com/Documentation/Forwarder/9.4.1/Forwarder/Configureforwardingwithoutputs.conf

🌟 Did this answer help you? If so, please consider:

  • Adding kudos to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...