Splunk Cloud Platform

Use Edge Processors

About the Edge Processor solution

The Edge Processor solution is a data processing solution that works at the edge of your network. Use the Edge Processor solution to filter, mask, and transform your data close to its source before routing the processed data to external environments.

The Edge Processor solution is suitable for Splunk Cloud Platform administrators who use forwarders or HTTP Event Collector (HEC) to get data into their deployments. It is available on both Classic Experience and Victoria Experience. You can use the Edge Processor solution if your Splunk Cloud Platform deployment meets the following requirements:

  • Runs Splunk Cloud Platform version 9.0.2209 and higher.
  • Is provisioned in a region that supports Edge Processors. See Available regions and region differences in the Splunk Cloud Platform Service Description.
  • Is provisioned in a cloud environment that does not use the DoD IL5 or FedRAMP Moderate subscription types.

By paring down and sanitizing data before sending it out to Splunk indexes or Amazon S3 buckets, you can reduce data storage costs and help prevent confidential data from leaving your network. With the Edge Processor solution, you can also manage your data processing configurations and monitor your data ingest traffic through a centralized Splunk Cloud service.

For information about the latest product updates, see The Edge Processor solution in Release Notes.

What is the difference between Edge Processor and Ingest Processor?

See the following table to review the differences between Edge Processor and Ingest Processor.

Features Edge Processor Ingest Processor
Solution description Edge Processor is a Splunk product that allows you to process data using SPL2 before you send that data out of your network to external destinations. You use a Splunk-managed cloud service to deploy and manage on-premises Edge Processors at the edge of your network. Ingest Processor is a Splunk Cloud Platform capability that allows you to process data using SPL2 at the time of data ingestion.
Supported data sources
  • Forwarders
  • HTTP clients and logging applications through the HTTP Event Collector (HEC)
  • Syslog devices
All data sources supported by Splunk Cloud Platform deployments on Victoria Experience.
Where processing takes place At the edge of your network, close to the data source. In Splunk Cloud Platform.
Generate logs into metrics No Yes
Enrich data using lookups Yes No
Routing to Splunk Enterprise indexes Yes No
Routing to Splunk Cloud Platform indexes Yes Yes, but limited to indexes paired on the same Splunk Cloud Platform deployment with Ingest Processor.
Routing to Splunk Observability Cloud No Yes
Data format when routing to Amazon S3 JSON files that use the Splunk HEC schema
  • Parquet files
  • JSON files that use the Splunk HEC schema

For more information about Ingest Processor, see the Use Ingest Processors manual.

Product components

The Edge Processor solution combines Splunk-managed cloud services, on-premises data processing software, and Search Processing Language, version 2 (SPL2) pipelines to support data processing at the edge of your network. The Edge Processor solution consists of the following main components:

Component Description Usage
Edge Processor A data processing engine that allocates resources for processing and routing data You install Edge Processors on machines in your local network. Edge Processors provide an on-premises data plane that lets you reduce and sanitize your data before sending it outside of your network.
Edge Processor service A cloud service that provides a centralized console for managing Edge Processors Splunk hosts the Edge Processor service as part of Splunk Cloud Platform. The Edge Processor service provides a cloud control plane that lets you deploy configurations, monitor the status of your Edge Processors, and gain visibility into the amount of data that is moving through your network.
Pipeline A set of data processing instructions written in SPL2, which is the data search and preparation language used by Splunk software In the Edge Processor service, you create pipelines to specify what data to process, how to process it, and what destination to send the processed data to. Then, you apply pipelines to your Edge Processors to configure them to start processing data according to those instructions.

To learn more about how the Edge Processor solution works and become more familiar with key terms and concepts, see How the Edge Processor solution works. For information about the types of data processing operations that are supported, see Edge Processor pipeline syntax.

Get started with the Edge Processor solution

Start by verifying whether you already have access to the Edge Processor solution. Do the following:

  1. Open a browser and navigate to https://px.scs.splunk.com/<tenant>, where <tenant> is the name of your Splunk Cloud Platform deployment.
  2. Check whether the URL resolves to the same login page as your Splunk Cloud Platform deployment.
    • If the login pages are the same, then continue to the next step.
    • If the login pages are different, that means you don't have access to the Edge Processor solution.
  3. Log in to https://px.scs.splunk.com/<tenant> using a Splunk Cloud Platform user account that has the admin_all_objects capability.
    • If your login succeeds and the browser redirects you to the Data management page, that confirms that you have access to the Edge Processor solution.
    • If you encounter authentication errors or cannot access the Edge Processor service, that means you don't have access to the Edge Processor solution.

Request access to the Edge Processor solution

To request access to the Edge Processor solution, fill out and submit the Request activation of Splunk Data Management form. You'll be asked to provide information such as the name of a Splunk Cloud Platform deployment that you want to connect with the Edge Processor solution. This connection is required for provisioning the Edge Processor solution, since the Splunk Cloud Platform deployment must be used as the following:

  • An identity provider for managing user accounts and logins for the Edge Processor service.
  • A storage location for the logs and metrics generated by your Edge Processors.

When the provisioning process is completed, you receive a welcome email confirming that you now have access to a tenant in the Splunk cloud environment. To start using the Edge Processor solution, navigate to this tenant and log in using your Splunk Cloud Platform credentials.

Start using the Edge Processor solution

If you are the first Edge Processor user on that tenant, you need to complete a one-time setup procedure to fully activate the Edge Processor service. See First-time setup instructions for the Edge Processor solution for more information.

To start processing data at the edge of your network, you first need to install an Edge Processor on a machine in your network. Then, specify how you want to process and route your data by creating pipelines using SPL2. Finally, configure your data sources to send data to your Edge Processor. For more guidance on getting started, see Quick start: Process and route data using Edge Processors.

See also

See the following documentation for more information about the Edge Processor solution and other Splunk software that works in conjunction with the Edge Processor solution.

For this information Refer to this documentation
Service limits that apply to the Edge Processor solution Tested and recommended service limits (soft limits) in the Splunk Cloud Platform Service Description
Complete information about the supported SPL2 commands and functions The following pages in the SPL2 Search Reference:
How to configure Splunk forwarders The Forwarding Data manual
How to configure HEC Set up and use HTTP Event Collector in Splunk Web
Last modified on 07 November, 2024
  How the Edge Processor solution works

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters