The Edge Processor service supports several configuration settings that apply to all Edge Processors that are part of the same cloud tenant. These settings determine behavior such as which port your Edge Processors uses to listen for incoming data, and the amount of computing resources that an Edge Processor can use before warnings are raised.
Your updated settings are applied to all current Edge Processors after selecting Save. Additionally, your updated settings are used by default for any new Edge Processors that you set up afterwards.
Port limitations
On Linux machines, ports with numbers lower than 1024 are restricted ports that cannot be used without root permissions. When specifying the ports that your Edge Processors use to listen for incoming data, make sure to use port number 1024 or higher.
If you want to use a port number lower than 1024, then you must grant your Edge Processors the ability to bind to privileged ports, such as by setting up your Edge Processors to run with root permissions. If you already have Edge Processor instances running without root permissions, then you can either reinstall them with root permissions or use the iptables
utility to route the data from the privileged port to a non-privileged port.
For more information, see these pages:
- Uninstall an Edge Processor instance
- Install an Edge Processor instance
- An Edge Processor instance crashes after you configure port settings in the troubleshooting documentation
Steps
- Select Edge Processors, then select Shared settings.
- To specify the amount of computing resources that an Edge Processor can use before it enters a Warning state due to high resource usage, do the following:
- Select the Other settings tab, then select Edit.
- Configure the following settings:
Field Description CPU threshold The percentage of the total allocated CPU processing power that an Edge Processor can use before a warning is raised Memory threshold The percentage of the total allocated memory that an Edge Processor can use before a warning is raised - Select Save. For other shared settings, select the Receiver settings tab.
- To specify how Edge Processors receive data from universal and heavy forwarders, do the following:
- In the Splunk forwarders section, select Edit.
- Configure the following:
Field Description Port The number of the TCP port used to receive data from forwarders Maximum channels The number of channels an Edge Processor can use to receive data from forwarders - Select Save.
- To specify the port that Edge Processors use to receive data from HTTP clients and logging agents through HTTP Event Collector (HEC), in the HTTP Event Collector section, do the following:
- In the Port settings area, select Edit.
- Enter your desired port number in the Port field and then select Save.
- To secure the HEC receiver in your Edge Processors by requiring incoming HTTP requests to be authenticated using a HEC token, do the following:
- In the Token authentication section, select New token.
- In the Add HEC token section, enter your token value in the Token value field.
- (Optional) In the Source field enter a
source
value that you want to assign to the data that is received through this HEC token. - (Optional) In the Source type field enter a
sourcetype
value that you want to assign to the data that is received through this HEC token. - Select Add.
- Get data into an Edge Processor using HTTP Event Collector
- Precedence order of HEC tokens and metadata field values
- How the Splunk platform uses HTTP Event Collector tokens to get data in in the Splunk Enterprise Getting Data In manual
- To specify the port that Edge Processors use to receive data from syslog data sources, do the following:
- In the Syslog section, select New Port.
- Configure the following:
Field Description Port The number of the TCP or UDP port used to receive data from forwarders Source type The metadata assigned to incoming syslog data to allow pipeline processing RFC protocol The standard that defines the format of your syslog data - Select Save.
- (Optional) If your syslog data uses the RFC 3164 protocol and does not have a time zone assigned to it, you can optionally configure your Edge Processor to assign it to a different time zone. To configure the time zone of your syslog data in the Edge Processor, do the following:
- In the Time zone for syslog data section, select Edit.
- Select your desired time zone assignment.
- Select Save.
- If you changed any of the Port settings, make sure to update the configurations of your data sources to account for the updated port number. Review and update these configurations as needed:
Type of data source Configuration instructions Splunk forwarders In the outputs.conf file, make sure that the server
property specifies the correct port number.HTTP clients or logging agents using HTTP Event Collector (HEC) Make sure that the HTTP requests for sending data to the Edge Processor are directed to the correct port number.
If your HTTP requests are directed to a load balancer, make sure that the load balancer is configured to pass the requests to the correct port number.Syslog devices Make sure that the syslog requests for sending data to the Edge Processor are directed to the correct port number.
When token authentication is turned on, data sources can only send data to the Edge Processor through HEC if the HTTP request includes a matching HEC token. The token authentication feature is activated when at least one HEC token is added. If you want to deactivate the token authentication feature, you must delete all added tokens. See the following for more information:
Manage and uninstall Edge Processors | Edge Processor pipeline syntax |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!