Splunk Cloud Platform

Use Edge Processors

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Manage and uninstall Edge Processors

You can manage Edge Processors using the Edge Processors page in your tenant. Use the page to get a high-level view of the status of all of the Edge Processor instances in your deployment. You can also view additional details about specific Edge Processors, such as the amount of data that it is receiving and what pipelines are connected to it, by selecting the Edge Processor name.

To scale an Edge Processor by adding or removing instances, use the Manage instances panel. You can access this panel from the Edge Processors page or from the detailed view of a specific Edge Processor. For more information, see Add more instances to an Edge Processor and the Uninstall an Edge Processor instance section on this page.

Instance statuses and what they mean

The following table describes the various statuses that an Edge Processor instance can have and what they mean.

Status Icon Description
Healthy Image of the Healthy icon The Edge Processor is running and successfully connected to the Edge Processor service. When an Edge Processor is in this status, you can add pipelines to the Edge Processor to process and route data.
Disconnected Image of the Disconnected icon The Edge Processor service lost contact with the Edge Processor. There are many different reasons why this can occur. For example, this status can occur if the host machine that an Edge Processor is installed on is down or if communication between an Edge Processor and the Edge Processor service is blocked.
Pending Image of the Pending icon The Edge Processor service was notified of changes that you've made, but the service has not finished applying those changes to Edge Processors yet. An Edge Processor can enter this status due to various configuration changes including changes to the applied pipelines, the global Edge Processor settings, or the Edge Processor itself.
Warning Image of the Warning icon The Edge Processor is still active, but the Edge Processor service wants to notify you that an Edge Processor instance is nearing its memory or CPU usage limit.
Error Image of the Error icon Something is wrong with the Edge Processor. We are still receiving a heartbeat from it, but it may no longer be processing data. There are many different reasons why this can occur. For example, this status can occur if this instance has exceeded memory or CPU capacity, or if an Edge Processor internal component is stuck in a restart loop.

Edit an Edge Processor

Complete the following steps to change Edge Processor configurations such as the default destination for unprocessed data, the data inputs that are allowed, and the mutually authenticated TLS (mTLS) settings for securing communications between the Edge Processor and data sources. For information about all the available Edge Processor settings, see Add an Edge Processor.

  1. Navigate to the Edge Processors page.
  2. On the Edge Processors page, in the row that lists the Edge Processor that you want to modify, select the Actions icon (Image of the Actions icon) and then select Edit Edge Processor.
  3. Update the configuration settings as desired.
  4. Select Save.

All of the instances associated with the Edge Processor automatically restart and apply your configuration changes. It can take a few minutes for these processes to be completed. During this time, the instances enter the Pending status.

To confirm that the Edge Processor updated successfully, navigate to the Edge Processors page and verify that the Instance health column shows that all instances are back in the Healthy status. You might need to refresh your browser to see the latest updates.

Uninstall an Edge Processor instance

The procedure for uninstalling an Edge Processor instance varies depending on whether systemd is configured to manage the splunk-edge process as a service.

If you're not sure whether the instance you want to uninstall is managed by systemd, run the following command on the host machine:

sudo systemctl status splunk-edge.service

If the splunk-edge process is being managed by systemd, then the command returns status information about splunk-edge.service. Otherwise, the command returns the following error message: Unit splunk-edge.service could not be found.

Choose the uninstallation procedure that suits your needs:

When you uninstall an instance, in-flight data might get dropped. To prevent data loss, stop the flow of data in the Edge Processor before attempting to uninstall an instance from it. To do this, configure your data sources to stop sending data to the Edge Processor and remove all pipelines from it.

Uninstall an Edge Processor instance that is not managed by systemd

Use the uninstallation command provided in the Edge Processor service to uninstall an Edge Processor instance.

  1. In your cloud tenant, locate and copy the uninstallation command.
    1. On the Edge Processors page, in the row that lists your Edge Processor, select the Actions icon (Image of the Actions icon) and then select Open.
    2. In the panel that contains your Edge Processor details, select Manage instances.
    3. Select the Install/uninstall tab, and then expand the Step 1: Run commands to install/uninstall instances section.
    4. Select Uninstall to view the command for uninstalling an Edge Processor instance from a Linux machine, and then select Copy to clipboard.
  2. On the host machine of the instance that you want to uninstall, open a command-line interface in a directory of your choice and then paste and run the command.
  3. To verify that the instance was uninstalled successfully, return to your cloud tenant and select the Instances tab in the Manage instances panel. Confirm that the instance is no longer listed in the panel.
  4. Make sure that none of your data sources are configured to send data to the Edge Processor instance that you just uninstalled. Review and update these configurations as needed:
    Type of data source Configuration instructions
    Splunk forwarders In the outputs.conf file, make sure that the server property does not include the host and port information of the uninstalled instance.


    As a best practice, if you have many forwarders configured to send data to the same multi-instance Edge Processor, use a DNS record to keep your outputs.conf settings up to date. Map all the Edge Processor instance hosts to a DNS record, and then set the server property in your outputs.conf files to the IP address of that DNS record. When you add or remove instances to your Edge Processor, you only need to update the DNS record instead of updating multiple outputs.conf files. For more information about using a DNS to manage forwarder outputs, see Options for configuring receiving targets for load balancing in the Splunk Cloud Platform Forwarding Data manual.

    HTTP clients or logging agents using HTTP Event Collector (HEC) Make sure that the HTTP requests for sending data to the Edge Processor are not directed to the URI of the uninstalled instance.


    If your HTTP requests are directed to a load balancer, make sure that the load balancer is not configured to pass any requests to the uninstalled instance.

    Syslog devices Make sure that the syslog requests for sending data to the Edge Processor are not directed to the URI of the uninstalled instance.

Uninstall an Edge Processor instance managed by systemd

If the splunk-edge process of the Edge Processor instance is being managed by systemd, then you must use the following commands to uninstall the instance.

  1. On the host machine, open a command-line interface in a directory of your choice and then run the following commands, where <install_directory> is the installation directory of the Edge Processor instance:
    sudo systemctl stop splunk-edge
    sudo systemctl disable splunk-edge
    <install_directory>/bin/splunk-edge offboard
    
  2. (Optional) To remove the splunk-edge folder, run the following command:
    rm -rf <install_directory>/bin/splunk-edge
  3. To verify that the instance was uninstalled successfully, return to your cloud tenant and do the following:
    1. On the Edge Processors page, in the row that lists your Edge Processor, select the Actions icon (Image of the Actions icon) and then select Open.
    2. In the panel that contains your Edge Processor details, select Manage instances.
    3. Select the Instances tab and confirm that the instance is no longer listed.
  4. Make sure that none of your data sources are configured to send data to the Edge Processor instance that you just uninstalled. Review and update these configurations as needed:
    Type of data source Configuration instructions
    Splunk forwarders In the outputs.conf file, make sure that the server property does not include the host and port information of the uninstalled instance.


    As a best practice, if you have many forwarders configured to send data to the same multi-instance Edge Processor, use a DNS record to keep your outputs.conf settings up to date. Map all the Edge Processor instance hosts to a DNS record, and then set the server property in your outputs.conf files to the IP address of that DNS record. When you add or remove instances to your Edge Processor, you only need to update the DNS record instead of updating multiple outputs.conf files. For more information about using a DNS to manage forwarder outputs, see Options for configuring receiving targets for load balancing in the Splunk Cloud Platform Forwarding Data manual.

    HTTP clients or logging agents using HTTP Event Collector (HEC) Make sure that the HTTP requests for sending data to the Edge Processor are not directed to the URI of the uninstalled instance.


    If your HTTP requests are directed to a load balancer, make sure that the load balancer is not configured to pass any requests to the uninstalled instance.

    Syslog devices Make sure that the syslog requests for sending data to the Edge Processor are not directed to the URI of the uninstalled instance.

Delete an Edge Processor

If all the instances that are associated with an Edge Processor are uninstalled or in the Disconnected status, you can delete the Edge Processor from your tenant using the Edge Processors page.

Prerequisites

Before you can delete an Edge Processor, all the instances that are associated with it must be either uninstalled from their host machines or in the Disconnected status.

Steps

  1. Navigate to the Edge Processors page.
  2. In the row that lists the Edge Processor that you want to modify, select the Actions icon (Image of the Actions icon) and then select Delete Edge Processor.
  3. Select Delete to confirm your choice.
Last modified on 27 February, 2024
PREVIOUS
Set up an Edge Processor
  NEXT
Configure global Edge Processor settings

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308 (latest FedRAMP release), 9.1.2312


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters