Splunk Cloud Platform

Use Ingest Processors

Ingest Processor is currently released as a preview only and is not officially supported. See Splunk General Terms for more information. For any questions on this preview, please reach out to ingestprocessor@splunk.com.

Send data from Ingest Processor to non-connected Splunk platform deployments using S2S

When sending data from the Ingest Processor service to a Splunk Enterprise deployment or a Splunk Cloud Platform deployment that is not connected to your tenant, you can choose to send that data using the Splunk-to-Splunk (S2S) protocol. S2S is the proprietary, TCP-based data transmission protocol used between Splunk software.

Start by adding a Splunk platform S2S destination in the Ingest Processor service. You can configure the destination to send data to one or more indexers that are part of the same Splunk platform deployment. Then, create a pipeline that uses that destination. When you apply that pipeline, the Ingest Processor starts sending the data that it receives to your Splunk platform deployment.

The specific index that the data from the Ingest Processor service gets routed to is determined by a precedence order of configurations. For more information, see Index precedence order when using S2S.

You can also send data using the HTTP Event Collector (HEC) instead of S2S, or send data to the Splunk Cloud Platform deployment that is connected to your tenant without needing to add any destinations. For more information, see Sending data from Ingest Processor to Splunk Cloud Platform or Splunk Enterprise.

Prerequisites

Before you can add a destination that sends data to the Splunk platform using S2S, you must do the following:

  • Make note of the following information for each of the indexers that you want to send data to:
    • The IP address or host name
    • The number of the port used to receive data
  • If you're sending data to an indexer that requires TLS, then obtain the necessary certificates for establishing a TLS connection with the indexer. See Obtaining TLS certificates in this topic for more information.

    Splunk Cloud Platform indexers always require TLS.

Obtaining TLS certificates

If you're sending data to an indexer that requires TLS encryption, then you need to have the necessary certificates for establishing a TLS connection between the Ingest Processor service and the indexer. In most cases, you must upload these certificates when adding the destination in the Ingest Processor service.

TLS requirements for Splunk Cloud Platform

TLS connections with Splunk Cloud Platform indexers require the universal forwarder credentials package. You can download this package from your Splunk Cloud Platform deployment by doing the following:

  1. In the Splunk Web interface for your Splunk Cloud Platform deployment, select Apps, then Universal Forwarder.
  2. Select Download Universal Forwarder Credentials.

Note the location of the credentials file. The credentials file is named splunkclouduf.spl.

TLS requirements for Splunk Enterprise

TLS connections with Splunk Enterprise indexers require the following certificates contained in separate Privacy Enhanced Mail (PEM) files:

  • A client certificate.
  • The private key associated with that client certificate. This private key must be decrypted.
  • The CA certificates used to verify the indexer.

If you don't have these PEM files, ask your Splunk Enterprise administrator for assistance. See the Secure Splunk platform communications with Transport Layer Security certificates chapter of the Securing Splunk Enterprise manual for more information.

Add a Splunk platform S2S destination

  1. In the Ingest Processor service, select Destinations.
  2. On the Destinations page, select New destination, then Splunk platform using S2S.
  3. Provide a name and description for your destination.
    Field Description
    Name A unique name for your destination
    Description (Optional) A description of your destination
  4. In the Indexers field, enter the host and port information of an indexer that you want to send data to using the format <ip_address>:<port> or <hostname>:<port>. You can enter information for multiple indexers by selecting Add another.
  5. If your indexer requires TLS, then select Turn on TLS and then set Platform to the type of Splunk platform deployment you want to send data to.
  6. If you turned on TLS in the destination, provide the necessary certificates:
    • If you set Platform to Splunk Cloud Platform, then in the Universal forwarder credentials field, upload the splunkclouduf.spl file that you downloaded from your Splunk Cloud Platform deployment.
    • If you set Platform to Splunk Enterprise, then upload the appropriate private key and certificates in these fields:
      Field Description
      Client private key A PEM file containing the decrypted private key associated with your client certificate
      Client certificate A PEM file containing a client certificate
      CA certificates The CA certificates used to verify the indexer
  7. To finish adding the destination, select Add.

You now have a destination that you can use to send data from the Ingest Processor service to one or more Splunk indexers.

To start sending data from the Ingest Processor service to the indexers specified in the destination, create a pipeline that uses the destination you just added and then apply that pipeline. For more information, see Create pipelines for Ingest Processor.

Last modified on 14 March, 2024
 

This documentation applies to the following versions of Splunk Cloud Platform: 9.1.2308 (latest FedRAMP release), 9.1.2312, 9.2.2403

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters