How the destination for Edge Processor works

In order to send data from an Edge Processor to a storage location such as an index or an Amazon S3 bucket, you must define the location as a destination in the Edge Processor service. Each destination contains the connection information necessary for allowing an Edge Processor to send data to a given location.

The steps for adding a destination to the Edge Processor service varies depending on whether the destination is part of the Splunk Cloud Platform deployment that's connected to your cloud tenant:

• When you connect your tenant to a Splunk Cloud Platform deployment as part of the first-time setup of the Edge Processor solution, all the indexers and indexes that the service account can access become available as destinations. For information about working with destinations that are associated with this connection, see Send data from Edge Processors to the Splunk Cloud Platform deployment connected to your tenant.
• For destinations that are not part of the connected deployment, such as Amazon S3 buckets or indexes from other Splunk platform deployments, you must use the Destinations page in the Edge Processor service to add and configure them. See the following pages for more information:
  • Add or manage destinations
  • Send data from Edge Processors to non-connected Splunk platform deployments using S2S
  • Send data from Edge Processors to non-connected Splunk platform deployments using HEC
  • Send data from Edge Processors to Amazon S3

You can confirm the destinations that are available by checking the Destinations page, and view additional details about a given destination by selecting it on the Destinations page.

What happens to my data if a destination becomes unavailable?

To prevent data loss, the Edge Processor holds data in a queue if it is unable to send data to a destination or if it receives more data than it can send. Queued data is stored on the hard drive of the Edge Processor host. If the queue fills up before the destination is available again, then data loss still occurs as the Edge Processor starts dropping any additional data that it receives. The amount of time that it takes to fill up the queue depends on the rate at which the Edge Processor is receiving data, but typically the queue holds at least 3 minutes of processing data.

Once the destination is available again, the Edge Processor sends those queued events to the destination. It might take some time for newer data to be processed by an Edge Processor as the data in the queue is prioritized first. If you want to adjust the size of the queue, see Cause: The Edge Processor queue has filled up.