Hi
Can some one help me with the following questions
1) My current setup is in on-premise and i plan to migrate to splunk cloud ,what things should i know ?
I dont want historical data to be transfered to cloud .?
2) Suppose i have 1000 UF and 5 syslog servers , how should i be sending this data ?
3) Should i install the Splunk credential package on all of these 1000 + 5 machines or should i deploy a HF before then send it to splunk cloud ?
4) Is there any encryption and compression of data that i have to do before sending to cloud or is it taken care by splunk ?
1) is a giant question. 🙂 The shortest story here is probably to understand the Admin differences - what you will no longer be able to do yourself and will need a ticket for. The second is to understand the licensing and billing you will be using and how that may affect things. A lot of that is covered in the Splunk Cloud Platform Migration Success Guide.
2 and 3 both) It's generally best to send from the UFs direct to cloud, that way all your indexers will equally participate in receiving the data. Ditto with your syslog servers - they already have a UF/HF on them, I'd suspect, to grab the data sent in by syslog and send it into your on-prem instance so you just need to reconfigure those to forward data to your cloud instance instead of on-prem instance. In your cloud instance you'll find an app called the (or some variation of) Splunk universal forwarder credentials package. Click that and it has instructions and a little app to install on your forwarders to teach them how to talk to your cloud instance.
You could send your syslog directly in to cloud too, using the SC4S app from Splunk.
4) I believe Splunk Cloud only accepts encrypted streams (https) so the encryption is enforced by the Splunk universal forwarder credentials package you can download from your cloud instance to set up your forwarders. Compression is not necessary.
I hope that helps!
-Rich