Route internal logs from forwarders using an Edge Processor
When you configure a forwarder to send data to an Edge Processor, the forwarded data includes internal logs about how the forwarder is functioning. The Edge Processor treats these internal logs as unprocessed data, and either routes or drops the logs based on the Default destination on the Edge Processor. To prevent internal logs from being dropped or to send them to a destination other than the default destination, you can create a pipeline that routes internal logs from forwarders to a destination of your choice.
As a best practice for preventing unwanted data loss, make sure to always have a default destination for your Edge Processors. Otherwise, all unprocessed data is dropped. See Add an Edge Processor.
Typically, internal logs from forwarders are sent to internal indexes in the Splunk platform such as _internal or _introspection. For more information about internal indexes, see About managing indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
To route internal logs to their originally intended internal index in your Splunk platform deployment, configure your pipeline to use a Splunk platform S2S destination. Sending the internal logs from an Edge Processor to an indexer using the Splunk-to-Splunk (S2S) protocol allows the logs to be routed to the index specified in their metadata. For more information about how data from Edge Processors gets routed to an index, see How does an Edge Processor know which index to send data to?
Before starting to create a pipeline, make sure that the destination that you want the pipeline to send data to is listed on the Destinations page of your tenant. If your destination is not listed on that page, then you must add that destination to your tenant. See Add or manage destinations for more information.
- Navigate to the Pipelines page and then select New pipeline
- Select Blank pipeline and then select Next.
- Select Next to continue.
- Select or enter a sourcetype to define the subset of data you want this pipeline to process, and then select <Next.
- Select the name of the destination that you want to send data to, and then select Done.
- In the pipeline editor, replace
all_data_ready, and then add a
wherecommand that filters for data that has the
indexfield set to the name of an internal index. The resulting SPL2 statement for your pipeline should look like this:
$pipeline = | from all_data_ready | where match(index, /^_.*/) | into $destination;
- To save your pipeline, do the following:
- Select Save pipeline.
- In the Name field, enter a name for your pipeline.
- (Optional) In the Description field, enter a description for your pipeline.
- Select Save.
- To apply this pipeline to an Edge Processor, do the following:
- Navigate to the Pipelines page.
- In the row that lists your pipeline, select the Actions icon () and then select Apply/Remove.
- Select the Edge Processors that you want to apply the pipeline to, and then select Save.
You can only apply pipelines to Edge Processors that are in the Healthy status.
If you want to route the internal logs to their originally intended internal index in your Splunk platform deployment, then you must select a Splunk platform S2S destination. Sending the internal logs from an Edge Processor to an indexer using the S2S protocol allows the logs to be routed to the index specified in their metadata. To filter for Splunk platform S2S destinations, open the All kinds drop-down list and select Splunk platform S2S. For more information about how the destination index is determined, see How does an Edge Processor know which index to send data to?
It can take a few minutes for the Edge Processor service to finish applying your pipeline to an Edge Processor. During this time, all Edge Processors that the pipeline is applied to enter the Pending status. To confirm that the process completed successfully, do the following:
- Navigate to the Edge Processors page. Then, verify that the Instance health column for the affected Edge Processors shows that all instances are back in the Healthy status.
- Navigate to the Pipelines page. Then, verify that the Applied column for the pipeline contains a The pipeline is applied icon ().
You might need to refresh your browser to see the latest updates.
The Edge Processor that you applied the pipeline to can now send internal logs from forwarders to the destination specified in the pipeline.
Edit or delete pipelines for Edge Processors
Filter and mask data using an Edge Processor
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2209, 9.0.2303, 9.0.2305 (latest FedRAMP release)