How is Splunk Cloud Architected?

Author: Becca Lambert
Release Date: 22/09/2023

What is Splunk Cloud?

In 2013 Splunk launched Splunk Cloud, a version of Splunk hosted and supported by Splunk. It provides the full functionality and features of Splunk Enterprise but without the costs and time requirements of administration, maintenance and upgrades, as well as none of the infrastructure costs.

The customer responsibilities associated with Splunk Cloud are greatly reduced compared to Splunk Enterprise. Customers are only responsible for getting their data in, creating and managing users, and getting to the good part of creating their dashboards, reports and alerts, on a Splunk platform delivered production-ready from day one.

Classic Experience vs Victoria:

A Splunk Cloud deployment comes in one of two designs; Classic experience and Victoria, They have near identical capabilities, with a few distinct differences shown in the table below:




Hybrid Searches

Fully Supported 

Not Available  (Customers must use federated search

Inputs Data Manager

The apps must be installed by Splunk support but the configuration of these apps is managed by the customer

Inputs run directly on the search tier 

Modular Scripted Inputs

These must run on a separate IDM instance or a on premise-heavy forwarder

Inputs run directly on the search tier 

  • Hybrid searches, which are fully supported on classic, are not supported by Victoria so the customers must use a federated search.
  • Classic Experience has an Inputs data manager (IDM) and modular scripted inputs, however, these are not applicable to Victoria as it runs the inputs directly on the search tier.

You can find out which Splunk Cloud platform by going to Support and Services > About in Splunk Cloud Web.  Please note all new Splunk Customers will be deployed on Victoria. 

A diagram of the classic Cloud experience
This is a diagram of the classic Cloud experience

What's the difference between Splunk Cloud and Splunk Enterprise?

Due to Splunk Cloud’s increased complexity and to ensure that it remains secure and compliant throughout, access to each of the different components and features differs from what is expected in an on-prem deployment.


Splunk Enterprise On-Prem

Splunk Cloud

Command Line Interface 


No Customer Access


Customers can decide what apps to run on their deployment

Only the vetted and approved apps are permitted to Install

Direct TCP and Syslog Inputs 


Customers cannot send these directly to Splunk Cloud 

Scripted Inputs


Only supported in the context of approved apps

Licence Pooling 


Not Supported

HTTP event collector (HEC)


For Splunk Cloud, HEC is enabled via ELB on port 443

Splunk API

Enabled by default

Access by Splunk Cloud Support and API Self-service App

Network Connection 

Can use TCP and UPD. Optional Secure connection

Inbound TCP protocol only with SSL secure connection

Splunk Cloud Licensing:

In order to provide flexibility to customers, there are two different licence types available to purchase for Splunk Cloud, these are Ingestion (based on the build-up of the daily volume of data indexed as GB per day of data ingested).  Also, the new Workload/Infrastructure pricing model, allows you to ingest unlimited amounts of data and charge by the search power required for your use cases. Customers can choose what licensing model will be most efficient for them, as some may ingest huge amounts of data but search it less frequently, or vice versa. 

Splunk Cloud & Security:

Splunk Cloud prides itself on having a 100% guaranteed uptime. In order to fulfil this promise, not only does it require a solid infrastructure, but also limiting the user access as much as possible in order to reduce the risk of any sabotage or human error which could result in a reduced performance for the users. One way Splunk Cloud does this is by only providing search head access via GUI, no direct Command Line access and no licence pooling.  Splunk Cloud also makes sure that all data entered into the platform is done in a secure manner in order to protect the platform and also to ensure data integrity. This means that secure SSL and TLS forwarding unique to the customer environment is used.

Strict vetting on Cloud applications in order to make sure that they are compliant and ensure data security and improved platform stability. All installed apps need to be compliant with this vetting process. Therefore Splunk offers 2 main options in regards to installing apps. The first option is using the wide range of pre-approved apps on the Splunk app base. The second option is via user interface upload, which is where customer-created apps, once vetted, can be installed via the ad-hoc search head. For more specific apps needed for a Splunk environment, Splunk also offers supported installation.

Benefits of using Splunk Cloud

As Splunk Cloud is a hosted SaaS where the included support and operations provide:

  • Advice and Troubleshooting support
  • Asset management and automated infrastructure deployment 
  • Automated processing and implementation
  • Regular maintenance and upgrade
  • Monitoring and alerting of system health and security 
  • IT operations and security specialists
  • 24/7 Network Operation Center

If you want to learn more about how Splunk Cloud could accelerate your monitoring and your cloud deployments please do not hesitate to get in touch with us and we can provide further technical overviews or a customised demonstration.

More Resources like this one:

Somerford's Added Value Explained
Partner & Customer Testimonials |
Business Value Panel Discussion & Podcast

What is Splunk Cloud? | Splunk Cloud Webinar
Splunk® Cloud™ delivers the capabilities of Splunk as Software-as-a-Service (SaaS).

Get in Touch

Contact Becca or the rest of our pre-sales team through our contact form.

Scroll to Top