Splunk Cloud Platform

Use Ingest Processors

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Ingest Processor is currently released as a preview only and is not officially supported. See Splunk General Terms for more information. For any questions on this preview, please reach out to ingestprocessor@splunk.com.

Send data from Ingest Processor to the Splunk Cloud Platform deployment connected to your tenant

Send data from Ingest Processor to the Splunk Cloud Platform deployment connected to your tenant by creating a connection between your cloud tenant and your Splunk Cloud Platform deployment. You can use this connection to send data from Ingest Processor to the connected Splunk Cloud Platform deployment. To do this, you must create a pipeline that uses a destination that is associated with this connection, and then apply the pipeline. If you want to send data to an index that was created after the Splunk Cloud Platform deployment was connected to the tenant, then you might need to refresh the connection before that index becomes available as a destination.

The specific index that the data from Ingest Processor gets routed to is determined by a precedence order of configurations. For more information, see Index precedence order when using S2S.

You can also send data from Ingest Processor to a Splunk platform deployment that is not connected to your tenant. For more information, see Sending data from Ingest Processor to Splunk Cloud Platform or Splunk Enterprise.

Prerequisites

Make sure that your Splunk Cloud Platform deployment is connected to your cloud tenant, and that the indexers and indexes from that deployment are available to your tenant.

To verify if this connection has been configured correctly, navigate to the Destinations page and select the Splunk tab. Then, confirm the following:

  • Indexes from your Splunk Cloud Platform deployment are available as Index destinations.
  • Indexers from your Splunk Cloud Platform deployment are available as Splunk platform S2S destinations that have the Tenant paired property. To verify whether a destination has this property, select the destination to open a side panel with configuration details, and then check if the Kind field in the panel includes the Tenant paired tag.

If you do not see any destinations that have these characteristics, make sure that you have completed the setup process described in First-time setup instructions for the Ingest Processor solution.

If an index that you expect to see is not appearing on the Destinations page, confirm that the index is configured to be available to the tenant and then refresh the connection between the tenant and the Splunk Cloud Platform deployment. For detailed instructions, see the Make more indexes available to the tenant section that follows.

Make more indexes available to the tenant

If any indexes that you want to send data to are not listed on the Destinations page, then complete the following steps to make those indexes available. Otherwise, skip these steps and proceed to Create a pipeline that sends data to the connected Splunk Cloud Platform deployment.

  1. In your Splunk Cloud Platform deployment, update the role of the service account so that the account can access your indexes:
    1. Log in using your admin credentials.
    2. In the Settings menu, in the Users and authentication section, select Roles.
    3. In the row that lists the role used by your service account, select Edit > Edit.

      The role and service account were created when you configured your Splunk Cloud Platform deployment to receive data.

    4. On the 3. Indexes tab, select the Included check box for all the indexes that you want to make available.
    5. Select Save.
  2. In your cloud tenant, refresh the connection to your Splunk Cloud Platform deployment:
    1. Select the Settings icon (Image of the Settings icon) and then select Manage connection.
    2. Select the Refresh icon (This image shows an icon that looks like two curved arrows going in a circle.).
    3. Select Done.

The indexes that you added become available on the Destinations page, and you can now send processed data from Ingest Processor to these indexes.

Create a pipeline that sends data to the connected Splunk Cloud Platform deployment

  1. Navigate to the Pipelines page and then select New pipeline.
  2. Select Blank pipeline, then selectNext.
  3. On the Define your pipeline's partition page, do the following:
    1. Select how you want to partition your incoming data that you want to send to your pipeline. You can partition by source type, source, and host.
    2. Enter the conditions for your partition, including the operator and the value. Your pipeline will receive and process the incoming data that meets these conditions.
    3. Select Next to confirm the pipeline partition.
  4. (Optional) On the Add sample data page, enter or upload sample data for generating previews that show how your pipeline processes data.

    The sample data must be in the same format as the actual data that you want to process. See Getting sample data for previewing data transformations for more information.

  5. Select Next to confirm any sample data that you want to use for your pipeline.
  6. On the Select destination dataset page, select the name of the destination that you want to send data to, then do the following:
    1. If you selected a Splunk platform S2S or Splunk platform HEC destination, select Next.
    2. If you selected another type of destination, select Done and skip the next step.
  7. (Optional) If you're sending data to a Splunk platform deployment, you can specify a target index:
    1. In the Index name field, select the name of the index that you want to send your data to.
    2. (Optional) In some cases, incoming data already specifies a target index. If you want your Index name selection to override previous target index settings, then select the Overwrite previously specified target index check box.
    3. Select Done.

      4. If you're sending data to a Splunk platform deployment, be aware that the destination index is determined by a precedence order of configurations.

  8. On the SPL2 editor page, add any desired actions to your SPL2 statement. You can add processing commands to your pipeline by selecting the plus icon (This image shows an icon of a plus sign.) next to Actions and selecting a data processing action, or by typing SPL2 commands and functions directly in the editor. For instructions on creating pipelines for specific use cases, see the following:

When you are done modifying the pipeline, save and apply the pipeline.

Last modified on 14 March, 2024
PREVIOUS
Sending data from Ingest Processor to Splunk Cloud Platform or Splunk Enterprise 		  NEXT
Send data from Ingest Processor to your Splunk Observability Cloud deployment

This documentation applies to the following versions of Splunk Cloud Platform: 9.1.2308 (latest FedRAMP release), 9.1.2312

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters