×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
alvaro_delamata
Engager
Member since: ‎11-05-2025
‎02-24-2026
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎11-05-2025
Activity Feed
View All

Re: Best and most cost-efficient way to forward lo...

by in Splunk Cloud Platform
‎02-17-2026 06:07 AM
‎02-17-2026 06:07 AM
  To answer your question, our data comes from three different sources: - Universal Forwarders (Splunk2Splunk) - HEC - Modular Inputs Data integrity is critical for us, so your point about catching the data "on the way in" really resonates. That's exactly why we are now leaning towards Ingest Processor with a SPL2 `branch` pipeline** rather than Ingest Actions + S3 — the async nature of S3 introduces a layer we'd rather avoid when data loss is not an option. Given our mixed ingestion sources (UF, HEC and Modular Inputs), do you know if Ingest Processor handles all three transparently, or are there any known limitations depending on the input type? Also, for the second Splunk Cloud destination, we were planning to use a single HEC token with all target indexes whitelisted in the `indexes` field, and let the pipeline handle routing via `eval index=...`. Does that approach sound right to you? Thanks again for pointing us in the right direction! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-24-2026 05:45 AM
Karma given to
View All