Splunk Cloud Platform

Use Ingest Processors

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Ingest Processor is currently released as a preview only and is not officially supported. See Splunk General Terms for more information. For any questions on this preview, please reach out to ingestprocessor@splunk.com.

Use templates to create pipelines for Ingest Processor

To help you get started on creating and using pipelines, the Ingest Processor service includes sample pipelines called templates. Templates are Splunk-built pipelines that are designed to work with specific data sources and use cases. For example, the Linux Audit template takes linux_audit logs and extracts common fields. Templates include sample data and preconfigured SPL2 statements, so you can use them as a starting point to build custom pipelines to solve specific use cases or as a reference to learn how to write SPL2 to build pipelines.

To view a list of the available pipeline templates, log in to your tenant, navigate to the Pipelines page, and then select Templates.

To create a pipeline using a template, complete the following steps.

Prerequisites

Before starting to create a pipeline, make sure that the destination that you want the pipeline to send data to is listed on the Destinations page of your tenant. If your destination is not listed on that page, then you must add that destination to your tenant. See Add or manage destinations for more information.

Steps

  1. Navigate to the Pipelines page, and select Ingest Processor pipeline.
  2. On the Get started page, select the template that you want to use from the list of available templates, then click Next.
  3. On the Define your pipeline's partition page, do the following:
    1. Select how you want to partition your incoming data that you want to send to your pipeline. You can partition by source type, source, and host.
    2. Enter the conditions for your partition, including the operator and the value. Your pipeline will receive and process the incoming data that meets these conditions.
    3. Select Next to confirm the pipeline partition.
  4. On the Add sample data page, do the following. If your template includes sample data, skip these steps.
    1. Enter or upload sample data for generating previews that show how your pipeline processes data. The sample data must contain accurate examples of the values that you want to extract into fields. For example, the following sample events represent purchases made at a store at a particular time: E9FF471F36A91031FE5B6D6228674089, 72E0B04464AD6513F6A613AABB04E701, Credit Card, 7.7, 2023-01-13 04:41:00, 2023-01-13 04:45:00, -73.997292, 40.720982, 4532038713619608 A5D125F5550BE7822FC6EE156E37733A, 08DB3F9FCF01530D6F7E70EB88C3AE5B, Credit Card,14, 2023-01-13 04:37:00, 2023-01-13 04:47:00, -73.966843,40.756741, 4539385381557252 1E65B7E2D1297CF3B2CA87888C05FE43,F9ABCCCC4483152C248634ADE2435CF0, Game Card, 16.5, 2023-01-13 04:26:00, 2023-01-13 04:46:00, -73.956451, 40.771442
    2. Select Next to confirm the sample data that you want to use for your pipeline.
  5. On the Select destination dataset page, select the name of the destination that you want to send data to, then do the following:
    1. If you selected a Splunk platform S2S or Splunk platform HEC destination, select Next.
    2. If you selected another type of destination, select Done and skip the next step.
  6. (Optional) If you're sending data to a Splunk platform deployment, you can specify a target index:
    1. In the Index name field, select the name of the index that you want to send your data to.
    2. (Optional) In some cases, incoming data already specifies a target index. If you want your Index name selection to override previous target index settings, then select the Overwrite previously specified target index check box.
    3. Select Done.

      4. If you're sending data to a Splunk platform deployment, be aware that the destination index is determined by a precedence order of configurations.

  7. It can take a few minutes for Ingest Processor to finish applying your pipeline. During this time, all applied pipelines enter the Pending status. Once the operation is complete, the Pending Apply status icon (Image of pending status icon) stops displaying beside the pipeline. Refresh your browser to check if the icon no longer displays.

The pipeline that you applied can now process the data it receives based on the processing instructions defined in the template.

Last modified on 19 April, 2024
PREVIOUS
Modify Ingest Processor pipelines 		  NEXT
Filter and mask data using Ingest Processor

This documentation applies to the following versions of Splunk Cloud Platform: 9.1.2308 (latest FedRAMP release), 9.1.2312

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters