Splunk Cloud Platform

Use Edge Processors

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Send data from Edge Processors to the Splunk Cloud Platform deployment connected to your tenant

As part of the first-time setup process for the Edge Processor solution, you created a connection between your cloud tenant and your Splunk Cloud Platform deployment. You can use this connection to send data from Edge Processors to the connected Splunk Cloud Platform deployment. To do this, you must create a pipeline that uses a destination that is associated with this connection, and then apply the pipeline to an Edge Processor. If you want to send data to an index that was created after the Splunk Cloud Platform deployment was connected to the tenant, then you might need to refresh the connection before that index becomes available as a destination.

The specific index that the data from an Edge Processor gets routed to is determined by a precedence order of configurations. For more information, see Index precedence order when using S2S.

You can also send data from an Edge Processor to a Splunk platform deployment that is not connected to your tenant. For more information, see Sending data from Edge Processors to Splunk Cloud Platform or Splunk Enterprise.

Prerequisites

Make sure that your Splunk Cloud Platform deployment is connected to your cloud tenant, and that the indexers and indexes from that deployment are available to your tenant.

To verify if this connection has been configured correctly, navigate to the Destinations page and select the Splunk tab. Then, confirm the following:

  • Indexes from your Splunk Cloud Platform deployment are available as Index destinations.
  • Indexers from your Splunk Cloud Platform deployment are available as Splunk platform S2S destinations that have the Tenant paired property. To verify whether a destination has this property, select the destination to open a side panel with configuration details, and then check if the Kind field in the panel includes the Tenant paired tag.

If you do not see any destinations that have these characteristics, make sure that you have completed the setup process described in First-time setup instructions for the Edge Processor solution.

If an index that you expect to see is not appearing on the Destinations page, confirm that the index is configured to be available to the tenant and then refresh the connection between the tenant and the Splunk Cloud Platform deployment. For detailed instructions, see the Make more indexes available to the tenant section that follows.

Make more indexes available to the tenant

If any indexes that you want to send data to are not listed on the Destinations page, then complete the following steps to make those indexes available. Otherwise, skip these steps and proceed to Create a pipeline that sends data to the connected Splunk Cloud Platform deployment.

  1. In your Splunk Cloud Platform deployment, update the role of the service account so that the account can access your indexes:
    1. Log in using your admin credentials.
    2. In the Settings menu, in the Users and authentication section, select Roles.
    3. In the row that lists the role used by your service account, select Edit > Edit.

      The role and service account were created during the initial setup of the Edge Processor solution. See First-time setup instructions for the Edge Processor solution for more information.

    4. On the 3. Indexes tab, select the Included check box for all the indexes that you want to make available.
    5. Select Save.
  2. In your cloud tenant, refresh the connection to your Splunk Cloud Platform deployment:
    1. Select the Settings icon (Image of the Settings icon) and then select Manage connection.
    2. Select the Refresh icon (This image shows an icon that looks like two curved arrows going in a circle.).
    3. Select Done.

The indexes that you added become available on the Destinations page, and you can now send processed data from Edge Processors to these indexes.

Create a pipeline that sends data to the connected Splunk Cloud Platform deployment

  1. Navigate to the Pipelines page and then select New pipeline.
  2. Select Blank pipeline and then select Next.
  3. Select or enter a sourcetype to define the subset of data you want this pipeline to process.
  4. Select Next to confirm your partition.
  5. (Optional) Enter or upload sample data for generating previews that show how your pipeline processes data.

    The sample data must be in the same format as the actual data that you want to process. See Getting sample data for previewing data transformations for more information.

  6. Select Next to confirm your sample data.
  7. Select the name of the destination that you want to send data to, and then select Done.
  8. Continue modifying the pipeline to fit your specific use case. For instructions on creating pipelines for specific use cases, see the following:

When you are done modifying the pipeline, save and apply it to an Edge Processor. If you haven't configured any data sources to send data to the Edge Processor yet, then do so. See the Get data into Edge Processors chapter.

Last modified on 30 August, 2023
PREVIOUS
Sending data from Edge Processors to Splunk Cloud Platform or Splunk Enterprise 		  NEXT
Send data from Edge Processors to non-connected Splunk platform deployments using S2S

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2209, 9.0.2303, 9.0.2305 (latest FedRAMP release)

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters