ACS CLI Tasks

Bulk operations and ACS feature reference

Environment

Task type

Bulk Operations — add entries below or upload a file, then generate.

Operation Settings

Operation Type

Bulk Action

Generate indexes.conf stanzas. Upload a CSV/Excel with: Index Name, Datatype, Retention, etc.

Upload & Generate

Drag & Drop Files

or click to select CSV / Excel

Need a template? CSV | Excel

Command & Output

Operations — select an ACS feature and action, fill the form (Dev Stack), or upload a file for other features.

Operation Settings

ACS Feature

Action

Generate

Drag & Drop Files

or click to select CSV / Excel

Need a template? CSV | Excel

ACS CLI documentation

Conf Generator

Generate Splunk .conf file stanzas

Configuration

Platform

Config file

Set stanza name (sourcetype) and optional parsing options.

Stanza Name (Sourcetype)

Index stanza name and optional data/storage settings.

Stanza Name (Index Name)

Index settings for Splunk Cloud.

Name

Index data type

Max raw data size

Additional storage

Searchable retention (days)

Generated Stanza

props.conf

# Configuration will appear here...

Create Splunk App

Package multiple conf files and metadata into a Splunk app (.zip / .spl)

Platform

App name

Metadata (local.meta) — Enterprise

[]
access = read : [ * ], write : [ admin ]
export = none

Included as metadata/local.meta in the package.

Package format

Supported formats: .spl, .zip, .tar, .tar.gz, .tgz. Use .spl to install via Splunk UI or splunk install app.

File Path Guide

Cross-platform directory and CLI reference

Install type

Full Directory List

Target	Linux / Mac Path	Windows Path
Installation Directory	`/opt/splunk`	`C:\Program Files\Splunk`
Configuration Files	`/opt/splunk/etc`	`C:\Program Files\Splunk\etc`
Apps Directory	`/opt/splunk/etc/apps`	`C:\Program Files\Splunk\etc\apps`
Logs Directory	`/opt/splunk/var/log/splunk`	`C:\Program Files\Splunk\var\log\splunk`
Indexes Directory	`/opt/splunk/var/lib/splunk`	`C:\Program Files\Splunk\var\lib\splunk`
Splunk Bin Directory	`/opt/splunk/bin`	`C:\Program Files\Splunk\bin`
Deployment Server Config Directory	`/opt/splunk/etc/deployment-apps`	`C:\Program Files\Splunk\etc\deployment-apps`
Search Head Directory	`/opt/splunk/etc/searchheads`	`C:\Program Files\Splunk\etc\searchheads`
Cluster Configuration Directory	`/opt/splunk/etc/master-apps`	`C:\Program Files\Splunk\etc\master-apps`
Saved Searches Directory	`/opt/splunk/etc/savedsearches`	`C:\Program Files\Splunk\etc\savedsearches`
Authentication Configuration Directory	`/opt/splunk/etc/auth`	`C:\Program Files\Splunk\etc\auth`
SSL Certificate Directory	`/opt/splunk/etc/auth/certs`	`C:\Program Files\Splunk\etc\auth\certs`
Props.conf Directory	`/opt/splunk/etc/system/local`	`C:\Program Files\Splunk\etc\system\local`
Index Configuration Directory	`/opt/splunk/etc/system/local/indexes.conf`	`C:\Program Files\Splunk\etc\system\local\indexes.conf`
Deployment Server Apps Directory	`/opt/splunk/etc/deployment-apps`	`C:\Program Files\Splunk\etc\deployment-apps`
Inputs Configuration Directory	`/opt/splunk/etc/system/local/inputs.conf`	`C:\Program Files\Splunk\etc\system\local\inputs.conf`
Transformations Directory	`/opt/splunk/etc/system/local/transforms.conf`	`C:\Program Files\Splunk\etc\system\local\transforms.conf`
Dashboards Directory	`/opt/splunk/etc/apps/<app>/default/data/ui/views`	`C:\Program Files\Splunk\etc\apps\<app>\default\data\ui\views`
Splunk Home (SPLUNK_HOME)	`/opt/splunk`	`C:\Program Files\Splunk`
User Directories	`/opt/splunk/etc/users/<user>`	`C:\Program Files\Splunk\etc\users\<user>`
Deployment Clients Directory	`/opt/splunk/etc/deployment-clients`	`C:\Program Files\Splunk\etc\deployment-clients`
KV Store Directory	`/opt/splunk/var/lib/splunk/kvstore`	`C:\Program Files\Splunk\var\lib\splunk\kvstore`
KV Store Summary Directory	`/opt/splunk/var/lib/splunk/kvstore/summary`	`C:\Program Files\Splunk\var\lib\splunk\kvstore\summary`
Fishbucket (checkpoint) Directory	`/opt/splunk/var/lib/splunk/fishbucket`	`C:\Program Files\Splunk\var\lib\splunk\fishbucket`
Splunkd Log File	`/opt/splunk/var/log/splunk/splunkd.log`	`C:\Program Files\Splunk\var\log\splunk\splunkd.log`
License Directory	`/opt/splunk/etc/licenses`	`C:\Program Files\Splunk\etc\licenses`
Introspection (internal metrics) Directory	`/opt/splunk/var/lib/splunk/introspection`	`C:\Program Files\Splunk\var\lib\splunk\introspection`
User Interface Directory	`/opt/splunk/share/splunk/search_mrsparkle`	`C:\Program Files\Splunk\share\splunk\search_mrsparkle`
Splunk Python Directory	`/opt/splunk/Python-<version>`	`C:\Program Files\Splunk\Python-<version>`
Splunk Apps Bin Directory	`/opt/splunk/etc/apps/<appname>/bin`	`C:\Program Files\Splunk\etc\apps\<appname>\bin`
Splunk App Local Directory	`/opt/splunk/etc/apps/<appname>/local`	`C:\Program Files\Splunk\etc\apps\<appname>\local`
Splunk App Metadata Directory	`/opt/splunk/etc/apps/<appname>/metadata`	`C:\Program Files\Splunk\etc\apps\<appname>\metadata`
Splunk App Static Directory	`/opt/splunk/etc/apps/<appname>/static`	`C:\Program Files\Splunk\etc\apps\<appname>\static`
Splunk App Default Directory	`/opt/splunk/etc/apps/<appname>/default`	`C:\Program Files\Splunk\etc\apps\<appname>\default`

Btool Master Class

Action	Linux / Mac Command	Windows Command
Check config (typos / validity)	`./splunk btool check`	`splunk.exe btool check`
List all conf types	`./splunk btool --help`	`splunk.exe btool --help`
Props (sourcetype / parsing)	`./splunk btool props list [--debug]`	`splunk.exe btool props list [--debug]`
Transforms	`./splunk btool transforms list [--debug]`	`splunk.exe btool transforms list [--debug]`
Indexes	`./splunk btool indexes list [--app=search]`	`splunk.exe btool indexes list [--app=search]`
Inputs	`./splunk btool inputs list [--debug]`	`splunk.exe btool inputs list [--debug]`
Outputs (forwarding)	`./splunk btool outputs list [--debug]`	`splunk.exe btool outputs list [--debug]`
Server	`./splunk btool server list [--debug]`	`splunk.exe btool server list [--debug]`
Web (HTTP / SSL)	`./splunk btool web list [--debug]`	`splunk.exe btool web list [--debug]`
Limits	`./splunk btool limits list [--debug]`	`splunk.exe btool limits list [--debug]`
Authentication	`./splunk btool authentication list [--debug]`	`splunk.exe btool authentication list [--debug]`
Authorize (roles)	`./splunk btool authorize list [--debug]`	`splunk.exe btool authorize list [--debug]`
Deployment client	`./splunk btool deploymentclient list [--debug]`	`splunk.exe btool deploymentclient list [--debug]`
Saved searches (reports/alerts)	`./splunk btool savedsearches list [--user=admin]`	`splunk.exe btool savedsearches list [--user=admin]`
Lookups	`./splunk btool lookups list [--debug]`	`splunk.exe btool lookups list [--debug]`
Fields	`./splunk btool fields list [--debug]`	`splunk.exe btool fields list [--debug]`
Tags	`./splunk btool tags list [--debug]`	`splunk.exe btool tags list [--debug]`
Event types	`./splunk btool eventtypes list [--debug]`	`splunk.exe btool eventtypes list [--debug]`
Macros	`./splunk btool macros list [--debug]`	`splunk.exe btool macros list [--debug]`
Alert actions	`./splunk btool alert_actions list [--debug]`	`splunk.exe btool alert_actions list [--debug]`
REST map (custom endpoints)	`./splunk btool restmap list [--debug]`	`splunk.exe btool restmap list [--debug]`
Search stanza in inputs	`./splunk btool inputs list --debug \| grep "monitor"`	`splunk.exe btool inputs list --debug \| findstr "monitor"`

Fishbucket & Checkpoint

Action	Linux / Mac Command or Path	Windows Command or Path
Fishbucket directory (checkpoint DB)	`/opt/splunk/var/lib/splunk/fishbucket`	`C:\Program Files\Splunk\var\lib\splunk\fishbucket`
Reset checkpoint for one file (btprobe)	`./splunk cmd btprobe -d var/lib/splunk/fishbucket/splunk_private_db --file /path/to/file --reset`	`splunk.exe cmd btprobe -d var\lib\splunk\fishbucket\splunk_private_db --file C:\path\to\file --reset`
Clean all fishbucket (stop first)	`./splunk stop` then `rm -rf var/lib/splunk/fishbucket/*` then `./splunk start`	`splunk.exe stop` then delete `var\lib\splunk\fishbucket\*` then `splunk.exe start`
Inspect fishbucket DB (btprobe list)	`./splunk cmd btprobe -d var/lib/splunk/fishbucket/splunk_private_db --list`	`splunk.exe cmd btprobe -d var\lib\splunk\fishbucket\splunk_private_db --list`

Service Commands

Action	Linux / Mac Command	Windows Command
Start Splunk	`./splunk start`	`splunk.exe start`
Restart	`./splunk restart`	`splunk.exe restart`
Stop	`./splunk stop`	`splunk.exe stop`
Status	`./splunk status`	`splunk.exe status`
Diag	`./splunk diag`	`splunk.exe diag`
Show version	`./splunk version`	`splunk.exe version`
Reload DS	`./splunk reload deploy-server`	`splunk.exe reload deploy-server`
Reload (configs)	`./splunk reload`	`splunk.exe reload`
Clean event data (index)	`./splunk clean eventdata -index <name>`	`splunk.exe clean eventdata -index <name>`
Enable boot-start	`./splunk enable boot-start`	`splunk.exe enable boot-start`
Disable boot-start	`./splunk disable boot-start`	`splunk.exe disable boot-start`
List forward-server (outputs)	`./splunk list forward-server`	`splunk.exe list forward-server`

Full Directory List (Universal Forwarder)

Target	Linux / Mac Path	Windows Path
Installation Directory	`/opt/splunkforwarder`	`C:\Program Files\Splunk Forwarder`
Configuration Files	`/opt/splunkforwarder/etc`	`C:\Program Files\Splunk Forwarder\etc`
Apps Directory	`/opt/splunkforwarder/etc/apps`	`C:\Program Files\Splunk Forwarder\etc\apps`
Logs Directory	`/opt/splunkforwarder/var/log/splunk`	`C:\Program Files\Splunk Forwarder\var\log\splunk`
Bin Directory	`/opt/splunkforwarder/bin`	`C:\Program Files\Splunk Forwarder\bin`
Deployment Client Config	`/opt/splunkforwarder/etc/deployment-apps`	`C:\Program Files\Splunk Forwarder\etc\deployment-apps`
Splunk Home (SPLUNK_HOME)	`/opt/splunkforwarder`	`C:\Program Files\Splunk Forwarder`
Deployment Clients Directory	`/opt/splunkforwarder/etc/deployment-clients`	`C:\Program Files\Splunk Forwarder\etc\deployment-clients`
Fishbucket (checkpoint)	`/opt/splunkforwarder/var/lib/splunk/fishbucket`	`C:\Program Files\Splunk Forwarder\var\lib\splunk\fishbucket`

Btool (Universal Forwarder)

Action	Linux / Mac Command	Windows Command
Check config	`./splunk btool check`	`splunk.exe btool check`
Inputs	`./splunk btool inputs list [--debug]`	`splunk.exe btool inputs list [--debug]`
Outputs (forwarding)	`./splunk btool outputs list [--debug]`	`splunk.exe btool outputs list [--debug]`
Deployment client	`./splunk btool deploymentclient list [--debug]`	`splunk.exe btool deploymentclient list [--debug]`
Server	`./splunk btool server list [--debug]`	`splunk.exe btool server list [--debug]`
Props	`./splunk btool props list [--debug]`	`splunk.exe btool props list [--debug]`
Transforms	`./splunk btool transforms list [--debug]`	`splunk.exe btool transforms list [--debug]`

Fishbucket & Checkpoint

Action	Linux / Mac Command or Path	Windows Command or Path
Fishbucket directory	`/opt/splunkforwarder/var/lib/splunk/fishbucket`	`C:\Program Files\Splunk Forwarder\var\lib\splunk\fishbucket`
Reset checkpoint (btprobe)	`./splunk cmd btprobe -d var/lib/splunk/fishbucket/splunk_private_db --file /path/to/file --reset`	`splunk.exe cmd btprobe -d var\lib\splunk\fishbucket\splunk_private_db --file C:\path\to\file --reset`
Inspect fishbucket (btprobe list)	`./splunk cmd btprobe -d var/lib/splunk/fishbucket/splunk_private_db --list`	`splunk.exe cmd btprobe -d var\lib\splunk\fishbucket\splunk_private_db --list`

Service Commands

Action	Linux / Mac Command	Windows Command
Start Splunk	`./splunk start`	`splunk.exe start`
Restart	`./splunk restart`	`splunk.exe restart`
Stop	`./splunk stop`	`splunk.exe stop`
Status	`./splunk status`	`splunk.exe status`
Diag	`./splunk diag`	`splunk.exe diag`
Show version	`./splunk version`	`splunk.exe version`
Reload DS	`./splunk reload deploy-server`	`splunk.exe reload deploy-server`
Reload (configs)	`./splunk reload`	`splunk.exe reload`
Enable boot-start	`./splunk enable boot-start`	`splunk.exe enable boot-start`
Disable boot-start	`./splunk disable boot-start`	`splunk.exe disable boot-start`
List forward-server (outputs)	`./splunk list forward-server`	`splunk.exe list forward-server`

cURL Generator

Build cURL commands for ACS and REST API requests

Configuration

URL

Stack URL

Base URL

Authentication Type

Request

Endpoint

Method

Operation

Index name

ACS base path: adminconfig/v2. Replace {placeholders} in the generated URL with your values.

Text Editor

Multi-pane clipboard: combine, find/replace, copy, download

Combined output

Trim & remove empty lines when combining

Utilities

SPL formatter, Base64, time range, and config converters

Choose Utility

Estimate Splunk storage and indexer capacity from ingest rate, retention, and cluster topology. Supports multiple indexes, compression, and indexes.conf output.

For detailed hot/warm/cold/archived breakdown, volume layout, and RAID guidance: Splunk Storage Sizing .

Input Data

Input Mode

Events per second

GB per day (raw)

Avg event size (bytes)

Raw compression factor

Metadata size factor

Output units

Retention (Days)

Hot / Warm

Cold

Frozen / Archived

Architecture

Number of indexers

Replication factor

Workload

Optional: Multiple Indexes

Add index names and % of total ingest (e.g. main=60, security=40). Leave empty for single index (main).

Splunk OTel Collector Helm values — configure and download values.yaml.

Output filename

Generated YAML (preview)

Format Search Processing Language (SPL) with indentation for readability, or minify to a single line.

Paste SPL

Format (indent): Adds line breaks and indentation so the search is easier to read. Minify: Removes extra whitespace and puts the whole search on one line (e.g. for sharing or APIs).

Output

Time range to SPL

Build earliest/latest time range values for Splunk searches (e.g. last 24 hours, custom range).

Preset

Result

Bucket Migration Validation (On-Prem → Cloud)

Step-by-step SPL to compare on-prem vs cloud bucket inventories and validate that missing buckets were frozen during migration. Run Step 1 on-prem before the first wave (note the date); run Step 2 on cloud after migration; then compare and cross-check with frozen bucket events.

Lookup filenames & options (used when you copy SPL)

On-prem lookup

Cloud lookup

Missing buckets lookup

Frozen inventory lookup

CM host (frozen events)

Run date (optional, e.g. 2025-04-07)

Step 1 — On-prem first wave (run before migration; note date)

Run on-prem. Export non-hot buckets to lookup. Rename the CSV to the on-prem lookup name above if different.

SPL

Step 2 — Cloud bucket inventory

Run on Splunk Cloud after migration.

SPL

Step 3 — Compare on-prem to cloud (missing buckets)

Finds buckets that were on-prem but not in cloud. Excludes internal indexes.

SPL

Step 4 — Frozen bucket events

Search _internal on the cluster manager for Force Freezing events.

SPL

Step 5 — Compare missing vs frozen (should be no results)

Any missing bucket not in the frozen inventory would appear here. Expect no results if all missing buckets were frozen during migration.

SPL

Step 6 — Manual proof

List bucketIds from missing, then pick one and verify it appears in the frozen inventory.

List missing bucketIds

Search frozen inventory for one bucketId (replace the placeholder with a bucketId from above).

Search frozen for one bucketId

Build and test regex for field extractions. No regex experience needed — use presets or type your own pattern. See matches live and copy as Splunk rex or REPORT.

Sample text or JSON (paste logs or load an example)

Quick patterns

Regex pattern (edit freely; use () for capture groups)

Flags

Matches

Capture groups

Splunk props.conf (rex or REPORT)

Quick Reference

ACS commands, SPL examples, and endpoints

ACS Feature Reference

ACS Feature	Command / Endpoint
Configure IP allow lists (IPv4)	`acs ip-allowlist`
Configure IP allow lists (IPv6)	`acs ip-allowlist-v6`
Configure outbound ports (IPv4)	`acs outbound-port`
Configure outbound ports (IPv6)	`acs outbound-port-v6`
Export apps	`acs apps export`
Manage app permissions	`acs permissions apps`
Manage authentication tokens	`acs token`
Manage HEC tokens	`acs hec-token`
Manage indexes	`acs indexes`
Manage limits.conf	`acs limits`
Manage maintenance windows	`acs maintenance-windows`
Manage private apps	`acs apps` (install, list, describe, uninstall)
Manage Splunkbase apps	`acs apps` (install splunkbase, update, list, uninstall)
Manage restarts	`acs restart`
Manage roles	`acs roles`
Manage users	`acs users`
Retry failed operations	`acs deployment retry`
View capabilities	`acs capabilities`
DDSS self-storage locations	`acs indexes self-storage-locations`
Unified Identity (Observability)	`acs observability pair`

Bulk operation commands

Bulk operation	Command
HEC tokens	`acs hec-token bulk-create` / `bulk-update` / `bulk-delete` `--file file.json`
Indexes	`acs indexes bulk-create` / `bulk-update` / `bulk-delete` `--file file.json`
Install Splunkbase apps	`acs apps bulk-install splunkbase --file apps.json`
Uninstall apps	`acs apps bulk-uninstall --file file.json`
Export apps	`acs apps export --file=apps_to_export.json`
Private apps (vet & install)	`acs apps bulk-install private --package-src-dir path/to/packages --acs-legal-ack=Y`
App permissions	`acs permissions apps bulk-update`

Common SPL searches

Purpose	Example
Last N events (any index)	`index=* \| head 20`
Count by field	`index=main \| stats count by sourcetype`
Time range (last 24h)	`index=main earliest=-24h latest=now`
Table specific fields	`index=main \| table _time host source sourcetype`
Search string in raw	`index=main "error" OR "failure"`
Rename field	`\| eval new_name = old_field`
Filter with where	`\| where count > 10`
Dedup by field	`\| dedup host`
Sort	`\| sort - _time`
Rex (extract with regex)	`\| rex field=_raw "<(?<id>[^>]+)>"`
Lookup	`\| lookup my_lookup key OUTPUT value`
Subsearch	`index=main [ search index=summary \| head 1 ]`

Index Migration (Rest / DB Inspect)

Purpose	SPL
REST Command on CM Run connected via Cluster Master	\| rest splunk_server=local /services/cluster/manager/buckets f=title f=primaries_by_site* timeout=0 \| rex field=title "(?<index>[^~]+)~(?<bid>.*)" \| rename primaries_by_site.site0 AS source_guid \| table index, bid, source_guid, dest_index
DB Inspect on SH Run on Search Head (or CM)	\| dbinspect index=* \| search NOT state=hot \| dedup bucketId \| rex field=buckedId "(?<index>[^~]+)~(?<bid>.*)" \| table index \| dedup index

Purpose

SPL

REST Command on CM
Run connected via Cluster Master

| rest splunk_server=local /services/cluster/manager/buckets f=title f=primaries_by_site* timeout=0
| rex field=title "(?<index>[^~]+)~(?<bid>.*)"
| rename primaries_by_site.site0 AS source_guid
| table index, bid, source_guid, dest_index

DB Inspect on SH
Run on Search Head (or CM)

| dbinspect index=*
| search NOT state=hot
| dedup bucketId
| rex field=buckedId "(?<index>[^~]+)~(?<bid>.*)"
| table index
| dedup index

Time modifiers (SPL)

Modifier	Meaning
`earliest=-15m`	Last 15 minutes
`earliest=-1h`	Last 1 hour
`earliest=-24h`	Last 24 hours
`earliest=-7d`	Last 7 days
`earliest=-30d`	Last 30 days
`latest=now`	Up to current time
`earliest=0`	All time (use with care)

Props & Transforms snippets

Attribute / File	Example
props: LINE_BREAKER	`LINE_BREAKER = ([\r\n]+)`
props: TIME_FORMAT	`TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%z`
props: MAX_EVENTS	`MAX_EVENTS = 256`
props: rex	`rex = (?<field>regex)`
props: REPORT	`REPORT-extract = my_extract` (stanza in transforms)
props: EXTRACT	`EXTRACT-foo = ^(?<bar>.+?) in`
transforms: REGEX	`REGEX = (?<key>\w+)=(?<value>[^\s]+)`
transforms: FORMAT	`FORMAT = key::$1 value::$2`
transforms: DEST_KEY	`DEST_KEY = MetaData:Source`
transforms: SOURCE_KEY	`SOURCE_KEY = _raw`

SPL commands (stats, eval, transform)

Command	Use	Example
`stats`	Aggregate / group	`\| stats count, sum(bytes) by host`
`eval`	Compute fields	`\| eval ratio = success / total`
`lookup`	Enrich from table	`\| lookup my_lookup host OUTPUT env`
`join`	Correlate two searches	`\| join type=left host [ search index=metrics ]`
`transaction`	Group events	`\| transaction host maxspan=5m`
`bin`	Bucket time/values	`\| bin _time span=1h`
`chart`	Pivot to chart	`\| chart count by host over _time`
`append`	Combine result sets	`\| append [ search index=other ]`
`map`	Run subsearch per row	`\| map search="search index=main host=$host$"`
`foreach`	Loop over fields	`\| foreach col* [ eval sum_<<FIELD>> = '<<FIELD>>' ]`
`mvexpand`	One row per MV value	`\| mvexpand mv_field`
`makemv`	Split to multivalue	`\| makemv delim="," field=tags`

Splunk REST API (search & auth)

Purpose	Endpoint / notes
Create search job (async)	`POST /services/search/jobs` — `search=...`, `output_mode=json`
Oneshot (blocking)	`POST /services/search/jobs` — `exec_mode=oneshot`, `search=...`
Export results (stream)	`POST /servicesNS/<user>/<app>/search/jobs/export` — `search=...`, `output_mode=csv\|json\|xml`
Job results	`GET /services/search/jobs/<sid>/results` — `output_mode=json_rows`
Job control	`DELETE /services/search/jobs/<sid>` (cancel), `GET .../control` (pause/unpause)
List jobs	`GET /services/search/jobs` — `count=0` for all
Auth (token)	`POST /services/auth/login` — `username`, `password`; or `Authorization: Bearer <token>`
HEC (ingest)	`POST /services/collector/event` — `Authorization: Splunk <hec_token>`, JSON body

indexes.conf & inputs.conf

File / attribute	Example
indexes: homePath, coldPath, thawedPath	`homePath = $SPLUNK_DB/<INDEX>/db` (and cold/thawed)
indexes: maxTotalDataSizeMB	`maxTotalDataSizeMB = 500000`
indexes: frozenTimePeriodInSecs	`frozenTimePeriodInSecs = 7776000` (90d)
inputs: monitor (file)	`[monitor:///var/log/app/*.log]` — `sourcetype=...`, `index=...`
inputs: batch (file)	`[batch:///path]` — read file once
inputs: script	`[script://./bin/myscript.sh]` — `interval=60`, `sourcetype=...`
inputs: TCP / UDP	`[tcp://1514]`, `[udp://514]` — `sourcetype=...`, `index=...`
inputs: HTTP Event Collector	Configure in UI or `inputs.conf` (http); token in `limits.conf` or ACS

Runbook placeholders

Copy these into runbooks and docs; replace with real values for each environment.

Splunk Cloud: ACS CLI · SPL Search Reference · REST API Reference

ACS CLI Tasks

Drag & Drop Files

Drag & Drop Files

Conf Generator

Create Splunk App

File Path Guide

cURL Generator

Text Editor

Utilities

Input Data

Retention (Days)

Architecture

Optional: Multiple Indexes

Storage Required

Lookup filenames & options (used when you copy SPL)

Step 1 — On-prem first wave (run before migration; note date)

Step 2 — Cloud bucket inventory

Step 3 — Compare on-prem to cloud (missing buckets)

Step 4 — Frozen bucket events

Step 5 — Compare missing vs frozen (should be no results)

Step 6 — Manual proof

Quick Reference