Splunk Cloud Platform

Release Notes

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

The Edge Processor solution

The Edge Processor solution is being gradually rolled out to Splunk Cloud Platform and may not be available immediately. If you have an urgent need for this capability and do not see it yet in your Splunk Cloud Platform environment, then please contact your Splunk Cloud Platform sales representative.

This page contains information about new features, known issues, and resolved issues for the Edge Processor solution, grouped by the generally available release date.

The Edge Processor solution is a service within Splunk Cloud Platform designed to help you manage data ingestion within your network boundaries. Use the Edge Processor solution to filter, mask, and transform your data close to its source before routing the processed data to external environments. For more information, see About the Edge Processor solution.

The Edge Processor solution is available on Splunk Cloud Platform version 9.0.2209 or higher. Updates are released frequently, and become available across all the supported Splunk Cloud Platform versions at the same time.

The release date indicates when updates to the Edge Processor solution were made available to Splunk Cloud Platform customers. For more information, contact your Splunk account representative.

Use these links to navigate to a specific section:

New features, enhancements, and fixed issues

Splunk releases frequent updates to the Edge Processor solution. This list is periodically updated with the latest functionality and changes to the product.

April 18, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Renamed Global settings to Shared settings and updated the side navigation The Global settings page is now called Shared settings. The updated side navigation has the Shared settings and Source types items under the Edge Processors item.


See Configure shared Edge Processor settings for more information.

April 4, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Support for the json_valid, mvappend, mvdedup, and tojson SPL2 functions You can now use the following evaluation functions in pipelines for Edge Processors:

See SPL2 evaluation functions for Edge Processor pipelines for more information.

April 2, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
HTTP Event Collector (HEC) token authentication You can now configure Edge Processors to require data sources that are sending data through HEC to be authenticated using HEC tokens.


See Get data into an Edge Processor using HTTP Event Collector for more information.

March 26, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updated workflow for configuring hashing functions You can now use the Compute hash of action in the pipeline builder to add and configure hashing functions in your pipelines.


See Hash fields using an Edge Processor for more information.

March 12, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updated workflow for configuring lookups You can now use the Enrich events with lookup action in the pipeline builder to add and configure lookups in your pipelines.


See Enrich data with lookups using an Edge Processor for more information.

February 27, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updated configuration settings for TLS and mTLS The configuration settings for securing communications between Edge Processors, data sources, and data destinations using TLS and mutually authenticated TLS (mTLS) have been updated to indicate more clearly when TLS or mTLS is supported.


For information about configuring mTLS between data sources and Edge Processors, see the pages in the Get data into Edge Processors chapter.

For information about configuring TLS or mTLS between Edge Processors and data destinations, see the following pages:

Renamed configuration option for Splunk platform HEC destinations The name and description of the Indexer or load balancer field has been updated to indicate the expected value more clearly. This field is now called HEC URI.


See the following pages for more information:

February 12, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updated UI component for selecting data destinations in the pipeline builder The Append data to destination action in the pipeline builder is now called Send data to destination.


See Route subsets of data using an Edge Processor for more information.

January 31, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Support for the mvcount, mvrange, and mv_to_json_array SPL2 functions You can now use the following evaluation functions in pipelines for Edge Processors:

See SPL2 evaluation functions for Edge Processor pipelines for more information.

January 24, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updated workflow for adding data processing actions to pipelines You can now use the plus icon (This image shows an icon of a plus sign.) in the Actions section of the pipeline builder to access a list of data processing actions for your pipeline.


See Create pipelines for Edge Processors for more information.

January 23, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Pipeline previews for multiple destinations When editing a pipeline that routes data to multiple destinations, you can now select a specific destination to preview the data that will make it to that particular destination.


See Route subsets of data using an Edge Processor for more information.

January 22, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updates to how where commands in pipelines are interpreted Previously, if a pipeline had one or more where commands as the first processing commands in the SPL2 statement, Edge Processors interpreted those commands as partition conditions. As a result, data that did not match those where clauses was sent to the Edge Processor's default destination instead of being dropped.


Now, Edge Processors consistently interpret all where commands in the pipeline as filters in the main body of the pipeline instead of partition conditions. Going forward, data that does not match the where clauses will be dropped.

This update does not immediately affect any currently applied pipelines. However, the next time you edit or apply a pipeline, that pipeline will be subject to this updated Edge Processor behavior. The Edge Processor service will automatically try to adjust the configuration of the pipeline in order to preserve the pre-existing data processing behavior. Make sure to double-check the partition and where configurations in your pipeline and save any necessary changes to the pipeline before proceeding.

See Updates to partitioning and filtering behavior in Edge Processor pipelines for more information.

January 8, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Support for the route SPL2 command You can now use the route command to send a desired subset of incoming data to a different destination.


See Route subsets of data using an Edge Processor for more information.

December 7, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Support for the lookup SPL2 command You can now use the lookup command to enrich incoming event data with additional information from CSV or KV Store lookup tables.


See Enrich data with lookups using an Edge Processor for more information.

Raw data ingestion using HTTP Event Collector (HEC) Edge Processors can now receive raw, unformatted data using the services/collector/raw HEC endpoint. You can use Edge Processors to break the raw data into distinct events before routing the data to desired destinations.


See Get data into an Edge Processor using HTTP Event Collector for more information.

November 17, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updated workflow for configuring system connections The connection between the tenant and the paired Splunk Cloud Platform deployment is now configured through the new System connections page instead of the Manage connections dialog box.


See Connect your tenant to your Splunk Cloud Platform deployment and Send data from Edge Processors to the Splunk Cloud Platform deployment connected to your tenant for more information.

Additional pipeline partitioning options The pipeline builder now provides more options for creating partitions.


See Create pipelines for Edge Processors for more information.

November 8, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updated workflows for sending data to specific Splunk indexes You can now use the Target index action in the pipeline builder to configure your pipeline to send data to a specific Splunk index. Indexes in the tenant-paired Splunk Cloud Platform deployment are no longer displayed directly in the Destinations page, but you can view them by selecting the tenant-paired indexer destination and then selecting View indexes.


See Create pipelines for Edge Processors for more information.

October 30, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Additional SPL2 functions You can now use certain cryptographic functions, trigonometric and hyperbolic functions, and statistical eval functions in pipelines for Edge Processors.


See SPL2 evaluation functions for Edge Processor pipelines for more information.

October 27, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updated diagnostic tool The edge_diagnostic tool has been updated to fix an issue where the tool omits compressed log files. The checksum value associated with the diagnostic tool has been changed as a result of this update.


See Generate a diagnostic report for an Edge Processor instance for more information.

September 18, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Syslog data transmission You can now configure Edge Processor to receive syslog data.


See Get syslog data into an Edge Processor for more information.

August 22, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Support for the split SPL2 function You can now use the split evaluation function in pipelines for Edge Processors.


See SPL2 evaluation functions for Edge Processor pipelines for more information.

August 9, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Additional SPL2 functions You can now use the following evaluation functions in pipelines for Edge Processors:

See SPL2 evaluation functions for Edge Processor pipelines for more information.

August 4, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Availability on HIPAA, IRAP, and PCI DSS compliant cloud environments The Edge Processor solution is now available for use with Splunk Cloud Platform deployments that use these optional subscription types:
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Information Security Registered Assessors Program (IRAP)
  • Payment Card Industry Data Security Standard (PCI DSS)

See Compliance and certifications in the Splunk Cloud Platform Service Details for more information.

July 27, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
New pipeline builder You can now utilize a streamlined process when creating pipelines for Edge Processors.


See the following pages for more information:

June 1, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Data transmission using HTTP Event Collector (HEC) You can now configure Edge Processors to receive and send data using the services/collector HEC endpoint.


See the following pages for more information:

May 19, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Pipeline previews using parsed sample data You can now generate pipeline previews using parsed data that has values stored in event fields. Parsed data must be in CSV format.


See Getting sample data for previewing data transformations for more information.

April 27, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Default Destination as part of Edge Processor configuration You can now assign a default destination to each Edge Processor to route unprocessed data.


See Set up an Edge Processor for more information.

March 25, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Time extraction and normalization The pipeline editor now provides time extraction and time format conversion. You can extract timestamp-related fields using delivered templates or write our own regular expressions to meet your use case.


See Extract timestamps from event data using an Edge Processor for more information.

March 16, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Search results as sample data You can now use the Copy field values option to copy data values from search results. This capability lets you use data from the connected Splunk Cloud Platform deployment as sample data for previewing pipelines and source type configurations.


See Getting sample data for previewing data transformations for more information.

March 15, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Field extraction support The pipeline editor now provides a dedicated user interface for configuring field extractions. You can preview the extracted field names and values as you configure your extractions, and select prewritten regular expressions for extracting common fields.


See Extract fields from event data using an Edge Processor for more information.

February 13, 2023

This is the first generally available release of the Edge Processor solution.

The following functionalities are available for administrators:

Known issues

The Edge Processor solution is subject to the following limitations.

Category Service component Limitation Additional information
Edge Processors Maximum number of instances in total 50 This is the maximum number of instances, across all Edge Processors, that can be supported by one tenant.
Edge Processors Maximum number of instances per cluster 10 This is the maximum number of instances that each Edge Processor cluster can support.
Network traffic Maximum network traffic 100 TB/day This is the maximum amount of data per day that can pass through the Edge Processor solution.

Browsers

Multiple browser sessions are not supported since it is possible for users to try to edit the same pipeline in more than one browser session and make conflicting edits.

Edge Processors

The following limitations exist for Edge Processors:

Edge Processors provide no data delivery guarantees. Data loss can occur if an Edge Processor experiences high back pressure on connections to destinations, or when a data destination has a prolonged outage.

  • At maximum, an Edge Processor instance can use approximately 5 vCPUs of processing power from its host machine. Increasing the amount of available processing power beyond 5 vCPUs does not result in noticeable improvements in performance and data throughput. To increase the throughput of an Edge Processor, scale it up by installing more instances. See Add more instances to an Edge Processor.
  • If you uninstall or remove an Edge Processor instance using any method other than the uninstallation command provided in the Edge Processor service, the Manage instances panel shows the instance as being in the Disconnected status. You cannot exclude the instance from the list that is displayed in the Manage instances panel. For information about how to resolve this issue, see An Edge Processor instance that was previously "Healthy" is now "Disconnected".
  • Only tenant administrators can create and view Edge Processors.

Forwarders

The following limitations exist for forwarders:

  • The useACK property in outputs.conf must be disabled in forwarders that are sending data to Edge Processors.
  • Configurations defined in the props.conf file are not fully supported. Using an Edge Processor to process data that has already been transformed by props.conf configurations can produce unexpected results. To minimize errors and troubleshooting, do one of the following:
    • Use a pipeline that filters for the props.conf-transformed data and routes it to a destination without doing any additional processing.
    • Specify a default destination for your tenant, and then make sure that the props.conf-transformed data is not handled by any pipelines that are applied to your Edge Processor. This configuration enables the Edge Processor to send the props.conf-transformed data to the default destination without doing any additional processing.
    • Revert your props.conf settings to their defaults and use a pipeline to execute the necessary data transformations instead.
  • You must use source types to configure the line breaking and processing of events from forwarders:
    • Line breaking definitions are specified in the source type configurations in the Edge Processor service. To apply line breaking to an event, you must ensure that the sourcetype value of the event matches the name of the relevant source type configuration.
    • The sourcetype value of an event determines whether or not a pipeline processes that event.

HTTP Event Collector (HEC)

When you use an Edge Processor to receive or send data through HEC, the Enable indexer acknowledgement setting on the HEC token must be turned off.

Metrics

Historical metrics presented in the detailed view of an Edge Processor do not include metrics for deleted pipelines.

Pipelines

The following limitations exist for pipelines:

  • Only tenant administrators can create, edit, delete, apply, or remove pipelines.
  • Specifying more than one destination in a pipeline is not supported. To route data to multiple destinations, you must create a dedicated pipeline for each destination and then apply these pipelines to your Edge Processor.
  • Some SPL2 functions work differently in Edge Processor pipelines than they do in searches. For example, regular expressions in functions are interpreted differently because Edge Processor pipelines support Regular Expression 2 (RE2) syntax while Splunk searches support Perl Compatible Regular Expressions (PCRE) syntax. See Edge Processor pipeline syntax for more information.

Splunk Cloud Experience tenants

When you go through the first-time setup process for the Edge Processor solution, you create a connection between your Splunk Cloud Experience tenant and your Splunk Cloud Platform deployment. This connection enables the tenant to surface specific indexes from that deployment as pipeline destinations.

The following limitations exist for this initial connection between your Splunk Cloud Experience tenant and your Splunk Cloud Platform deployment:

  • You cannot connect your tenant to more than one Splunk Cloud Platform deployment using this method. To send data from a pipeline to an index that belongs to a different Splunk Cloud Platform deployment, you must configure a destination that corresponds to the indexer tier of that deployment and then include an eval expression that specifies the target index in your pipeline. For more information, see Sending data from Edge Processors to Splunk Cloud Platform or Splunk Enterprise.
  • If you create additional indexes in your Splunk Cloud Platform deployment after completing the first-time setup process, you must refresh the connection in order to make those indexes available in the tenant. For detailed instructions, see Make more indexes available to the tenant.
Last modified on 18 April, 2024
PREVIOUS
Admin Configuration Service 		 

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308 (latest FedRAMP release), 9.1.2312

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters