A local resource is a fixed resource that your Splunk Enterprise instance has direct access to. You are able to access a local resource, and whatever it contains, without having to attach, connect, or perform any other intermediate action, such as authenticating or mapping a network drive. If your data is on such a resource, the data is local.

Here are some examples of local data:

• Data on a hard disk or solid state drive installed in a desktop, laptop, or server host.
• Data on a resource that has been permanently mounted over a high-bandwidth physical connection that the machine can access at boot time.
• Data on a RAM disk.

A remote resource is any resource that doesn't meet the definition of a local resource. Data that exists on such a resource is remote data.

Here are some examples of remote resources:

• Network drives on Windows hosts.
• Active Directory schemas.
• NFS or other network-based mounts on *nix hosts.
• Most cloud-based resources.

There are some cases where resources might be considered remote, but they are actually local:

• A host has a volume that has been permanently mounted over a high-bandwidth physical connection, like USB or FireWire. Because the computer can mount the resource at boot time, Splunk Enterprise treats it as a local resource, even though the resource can theoretically be disconnected at a later time.
• A host has a resource that has been permanently mounted over a high-bandwidth network standard, like iSCSI, or to a Storage Area Network over fiber. Because the standard treats such volumes as local block devices, such a resource is considered local.