×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
alvaro_delamata
Engager
Member since: ‎11-05-2025
‎02-24-2026
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎11-05-2025
Activity Feed
View All

Re: Best and most cost-efficient way to forward lo...

by in Splunk Cloud Platform
‎02-17-2026 06:07 AM
‎02-17-2026 06:07 AM
  To answer your question, our data comes from three different sources: - Universal Forwarders (Splunk2Splunk) - HEC - Modular Inputs Data integrity is critical for us, so your point about catching the data "on the way in" really resonates. That's exactly why we are now leaning towards Ingest Processor with a SPL2 `branch` pipeline** rather than Ingest Actions + S3 — the async nature of S3 introduces a layer we'd rather avoid when data loss is not an option. Given our mixed ingestion sources (UF, HEC and Modular Inputs), do you know if Ingest Processor handles all three transparently, or are there any known limitations depending on the input type? Also, for the second Splunk Cloud destination, we were planning to use a single HEC token with all target indexes whitelisted in the `indexes` field, and let the pipeline handle routing via `eval index=...`. Does that approach sound right to you? Thanks again for pointing us in the right direction! ... View more

Best and most cost-efficient way to forward logs f...

by in Splunk Cloud Platform
‎02-17-2026 05:40 AM
‎02-17-2026 05:40 AM
Hi community, I'm looking for advice on the most efficient and cost-effective way to replicate/forward logs from one Splunk Cloud Platform instance to a second Splunk Cloud Platform instance. My constraints and requirements: - I want to avoid using a Heavy Forwarder as an intermediary, since I'm trying to keep the architecture fully cloud-native and reduce infrastructure overhead. - Both source and destination are Splunk Cloud Platform deployments (not Splunk Enterprise). - I need the forwarding to be as close to real-time as possible. - I'd like to minimize additional AWS/third-party costs (e.g., avoid S3 as a middle layer if possible). I've been looking into two main options: 1. Ingest Actions + S3 bucket → AWS TA on the destination instance. 2. Ingest Processor with a SPL2 `branch` command sending directly to both instances (the second one via an HEC token). For option 2, I was planning to use a single HEC token on the destination instance with all target indexes listed in the `indexes` field, and let the pipeline control routing via `eval index=...`. Does that sound right? Has anyone implemented either of these approaches in production? What were the trade-offs you encountered in terms of latency, cost, reliability, and maintainability? Any advice or real-world experience is greatly appreciated! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-24-2026 05:45 AM
Karma given to
View All