Splunk Enterprise Security

Enterprise Security in hybrid (cloud + on premise) scenario

Path Finder


We are refining our Splunk hybrid (cloud + on-premise) architecture design and are looking for ideas and experience sharing in that particular area.

In summary:
- We have a clustered (Indexers and SHs) Splunk infrastructure on premise in our data center to centralize logs from on-premise computers and perform their security monitoring with Enterprise Security
- We are now starting to use the cloud (AWS now and also Azure in the near future) for hosting some of our information systems and are defining the architecture for these log data ingestion also in the cloud (EG: CoudWatch to Firehose to ELB to several Splunk HFs in AWS)
- For indexing these cloud logs, one option we have is to build also a Splunk indexers cluster in AWS (and Azure later) but this won't allow our existing on-prem enterprise security SHs cluster to access that data (from what we can read, Hybrid search is only supporting one standalone on prem search head and not a cluster and premium apps like ES are explicitly not supported for hybrid search).
- Since hybrid search seems not possible, one alternative we have in mind is to forward log events from HFs in the cloud to our existing on-prem indexer cluster via our existing AWS Direct Connect lines but would like your feedback on feasibility, latency/performance, traffic costs, ...
- Another alternative is to build a full (Indexers + ES SHs) clusted infra in the cloud (AWS, Azure) but this won't be as "user friendly" for our Splunk users (like the SOC team) as they will have to switch between 2 or 3 different Splunk installations. Also on the Splunk administration side, we will have to duplicate (or triplicate with Azure) many servers/configuration ...

Thanks in advance therefore if you can share your experience in these hybrid Splunk deployments, particularly in the context of having Enterprise Security used as the SIEM to monitor cloud and on-premise infrastructures.

0 Karma


Stumbled about this question - I think it is answered here https://docs.splunk.com/Documentation/SplunkCloud/8.1.2011/User/SearchCloudfromEnterprise 

0 Karma


I believe your ES SH can connect to your AWS indexers (I may be wrong). The documentation speaks of Splunk Cloud (different from AWS deployment). This is my thinking. Sending data from your cloud to your on-premise will involve significant cost depending on the volume of data being sent.

If you have solved this issue, kindly please share your solution.


0 Karma

Path Finder

Try configure multiple indexer cluster in search head cluster, like on-prem indexer cluster and AWS/Azure indexer cluster to your existing search-head Cluster


0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...