Splunk Cloud Platform

Use Edge Processors

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Route internal logs from forwarders using an Edge Processor

When you configure a forwarder to send data to an Edge Processor, the forwarded data includes internal logs about how the forwarder is functioning. The Edge Processor treats these internal logs as unprocessed data, and either routes or drops the logs based on the Default destination on the Edge Processor. To prevent internal logs from being dropped or to send them to a destination other than the default destination, you can create a pipeline that routes internal logs from forwarders to a destination of your choice.

As a best practice for preventing unwanted data loss, make sure to always have a default destination for your Edge Processors. Otherwise, all unprocessed data is dropped. See Add an Edge Processor.

Typically, internal logs from forwarders are sent to internal indexes in the Splunk platform such as _internal or _introspection. For more information about internal indexes, see About managing indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

To route internal logs to their originally intended internal index in your Splunk platform deployment, configure your pipeline to use a Splunk platform S2S destination. Sending the internal logs from an Edge Processor to an indexer using the Splunk-to-Splunk (S2S) protocol allows the logs to be routed to the index specified in their metadata. For more information about how data from Edge Processors gets routed to an index, see How does an Edge Processor know which index to send data to?

Prerequisites

Before starting to create a pipeline, make sure that the destination that you want the pipeline to send data to is listed on the Destinations page of your tenant. If your destination is not listed on that page, then you must add that destination to your tenant. See Add or manage destinations for more information.

Steps

  1. Navigate to the Pipelines page and then select New pipeline
  2. Select Blank pipeline and then select Next.
  3. Select Next to continue.
  4. Select or enter a sourcetype to define the subset of data you want this pipeline to process, and then select <Next.
  5. Select the name of the destination that you want to send data to, and then select Done.


    6. If you want to route the internal logs to their originally intended internal index in your Splunk platform deployment, then you must select a Splunk platform S2S destination. Sending the internal logs from an Edge Processor to an indexer using the S2S protocol allows the logs to be routed to the index specified in their metadata. To filter for Splunk platform S2S destinations, open the All kinds drop-down list and select Splunk platform S2S. For more information about how the destination index is determined, see How does an Edge Processor know which index to send data to?


  6. In the pipeline editor, replace $source with all_data_ready, and then add a where command that filters for data that has the index field set to the name of an internal index. The resulting SPL2 statement for your pipeline should look like this: 
    $pipeline = | from all_data_ready | where match(index, /^_.*/) | into $destination;
  7. To save your pipeline, do the following:
    1. Select Save pipeline.
    2. In the Name field, enter a name for your pipeline.
    3. (Optional) In the Description field, enter a description for your pipeline.
    4. Select Save.
    The pipeline is now listed on the Pipelines page, and you can now apply it to Edge Processors as needed.
  8. To apply this pipeline to an Edge Processor, do the following:
    1. Navigate to the Pipelines page.
    2. In the row that lists your pipeline, select the Actions icon (Image of the Actions icon) and then select Apply/Remove.
    3. Select the Edge Processors that you want to apply the pipeline to, and then select Save.

    You can only apply pipelines to Edge Processors that are in the Healthy status.

    9. It can take a few minutes for the Edge Processor service to finish applying your pipeline to an Edge Processor. During this time, all Edge Processors that the pipeline is applied to enter the Pending status. To confirm that the process completed successfully, do the following:

    • Navigate to the Edge Processors page. Then, verify that the Instance health column for the affected Edge Processors shows that all instances are back in the Healthy status.
    • Navigate to the Pipelines page. Then, verify that the Applied column for the pipeline contains a The pipeline is applied icon (Image of the "applied pipeline" icon).

    You might need to refresh your browser to see the latest updates.


The Edge Processor that you applied the pipeline to can now send internal logs from forwarders to the destination specified in the pipeline.

Last modified on 23 August, 2023
PREVIOUS
Edit or delete pipelines for Edge Processors 		  NEXT
Filter and mask data using an Edge Processor

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2209, 9.0.2303, 9.0.2305 (latest FedRAMP release)

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters