About the Edge Processor solution
The Edge Processor solution is a data processing solution that works at the edge of your network. Use the Edge Processor solution to filter, mask, and transform your data close to its source before routing the processed data to external environments.
The Edge Processor solution is suitable for Splunk Cloud Platform administrators who use forwarders or HTTP Event Collector (HEC) to get data into their deployments. It is available on both Classic Experience and Victoria Experience. You can use the Edge Processor solution if your Splunk Cloud Platform deployment meets the following requirements:
- Runs Splunk Cloud Platform version 9.0.2209 and higher.
- Is provisioned in a region that supports Edge Processors. See Available regions and region differences in the Splunk Cloud Platform Service Description.
- Is provisioned in a cloud environment that does not use the DoD IL5 or FedRAMP Moderate subscription types.
By paring down and sanitizing data before sending it out to Splunk indexes or Amazon S3 buckets, you can reduce data storage costs and help prevent confidential data from leaving your network. With the Edge Processor solution, you can also manage your data processing configurations and monitor your data ingest traffic through a centralized Splunk Cloud service.
For information about the latest product updates, see The Edge Processor solution in Release Notes.
What is the difference between Edge Processor and Ingest Processor?
See the following table to review the differences between Edge Processor and Ingest Processor.
Features | Edge Processor | Ingest Processor |
---|---|---|
Solution description | Edge Processor is a Splunk product that allows you to process data using SPL2 before you send that data out of your network to external destinations. You use a Splunk-managed cloud service to deploy and manage on-premises Edge Processors at the edge of your network. | Ingest Processor is a Splunk Cloud Platform capability that allows you to process data using SPL2 at the time of data ingestion. |
Supported data sources |
|
All data sources supported by Splunk Cloud Platform deployments on Victoria Experience. |
Where processing takes place | At the edge of your network, close to the data source. | In Splunk Cloud Platform. |
Generate logs into metrics | No | Yes |
Enrich data using lookups | Yes | No |
Routing to Splunk Enterprise indexes | Yes | No |
Routing to Splunk Cloud Platform indexes | Yes | Yes, but limited to indexes paired on the same Splunk Cloud Platform deployment with Ingest Processor. |
Routing to Splunk Observability Cloud | No | Yes |
Data format when routing to Amazon S3 | JSON files that use the Splunk HEC schema |
|
For more information about Ingest Processor, see the Use Ingest Processors manual.
Product components
The Edge Processor solution combines Splunk-managed cloud services, on-premises data processing software, and Search Processing Language, version 2 (SPL2) pipelines to support data processing at the edge of your network. The Edge Processor solution consists of the following main components:
Component | Description | Usage |
---|---|---|
Edge Processor | A data processing engine that allocates resources for processing and routing data | You install Edge Processors on machines in your local network. Edge Processors provide an on-premises data plane that lets you reduce and sanitize your data before sending it outside of your network. |
Edge Processor service | A cloud service that provides a centralized console for managing Edge Processors | Splunk hosts the Edge Processor service as part of Splunk Cloud Platform. The Edge Processor service provides a cloud control plane that lets you deploy configurations, monitor the status of your Edge Processors, and gain visibility into the amount of data that is moving through your network. |
Pipeline | A set of data processing instructions written in SPL2, which is the data search and preparation language used by Splunk software | In the Edge Processor service, you create pipelines to specify what data to process, how to process it, and what destination to send the processed data to. Then, you apply pipelines to your Edge Processors to configure them to start processing data according to those instructions. |
To learn more about how the Edge Processor solution works and become more familiar with key terms and concepts, see How the Edge Processor solution works. For information about the types of data processing operations that are supported, see Edge Processor pipeline syntax.
Get started with the Edge Processor solution
Start by verifying whether you already have access to the Edge Processor solution. Do the following:
- Open a browser and navigate to https://px.scs.splunk.com/<tenant>, where <tenant> is the name of your Splunk Cloud Platform deployment.
- Check whether the URL resolves to the same login page as your Splunk Cloud Platform deployment.
- If the login pages are the same, then continue to the next step.
- If the login pages are different, that means you don't have access to the Edge Processor solution.
- Log in to https://px.scs.splunk.com/<tenant> using a Splunk Cloud Platform user account that has the admin_all_objects capability.
- If your login succeeds and the browser redirects you to the Data management page, that confirms that you have access to the Edge Processor solution.
- If you encounter authentication errors or cannot access the Edge Processor service, that means you don't have access to the Edge Processor solution.
Request access to the Edge Processor solution
To request access to the Edge Processor solution, fill out and submit the Request activation of Splunk Data Management form. You'll be asked to provide information such as the name of a Splunk Cloud Platform deployment that you want to connect with the Edge Processor solution. This connection is required for provisioning the Edge Processor solution, since the Splunk Cloud Platform deployment must be used as the following:
- An identity provider for managing user accounts and logins for the Edge Processor service.
- A storage location for the logs and metrics generated by your Edge Processors.
When the provisioning process is completed, you receive a welcome email confirming that you now have access to a tenant in the Splunk cloud environment. To start using the Edge Processor solution, navigate to this tenant and log in using your Splunk Cloud Platform credentials.
Start using the Edge Processor solution
If you are the first Edge Processor user on that tenant, you need to complete a one-time setup procedure to fully activate the Edge Processor service. See First-time setup instructions for the Edge Processor solution for more information.
To start processing data at the edge of your network, you first need to install an Edge Processor on a machine in your network. Then, specify how you want to process and route your data by creating pipelines using SPL2. Finally, configure your data sources to send data to your Edge Processor. For more guidance on getting started, see Quick start: Process and route data using Edge Processors.
See also
See the following documentation for more information about the Edge Processor solution and other Splunk software that works in conjunction with the Edge Processor solution.
For this information | Refer to this documentation |
---|---|
Service limits that apply to the Edge Processor solution | Tested and recommended service limits (soft limits) in the Splunk Cloud Platform Service Description |
Complete information about the supported SPL2 commands and functions | The following pages in the SPL2 Search Reference: |
How to configure Splunk forwarders | The Forwarding Data manual |
How to configure HEC | Set up and use HTTP Event Collector in Splunk Web |
How the Edge Processor solution works |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!