Installation requirements for Edge Processors
Before installing an Edge Processor, make sure that the host that you're installing on meets the following requirements. Meeting these requirements and addressing issues arising from the host environment, including the hardware, operating system and network, is your responsibility.
This is step 1 of 6 for using an Edge Processor to process data and route it to a destination. To see an overview of all of the steps, see Quick start: Process and route data using Edge Processors.
Hardware requirements
The host machine where you want to install an Edge Processor must meet the following system requirements.
Hardware | Specifications |
---|---|
CPU | 2 vCPUs |
CPU architecture | x86 (64-bit) |
Memory | 2 GB, assuming that 1 GB from this amount is used to run the operating system. |
Disk space | 20 GB, assuming that the Edge Processor is configured to send data to 1 destination.
To prevent data loss, Edge Processors store queued data on the hard drive of the host as needed. |
To improve the performance of the Edge Processor, allocate resources beyond these minimum requirements.
Software requirements
The host machine where you want to install an Edge Processor instance cannot already have another Edge Processor instance installed on it. You must install each Edge Processor instance on a different machine.
Additionally, the system clock of the host machine must be synchronized with a Network Time Protocol (NTP) server. If the system time is incorrect, this can cause the Edge Processor installation to fail due to prematurely expired security tokens. For information about how to synchronize the system clock to an NTP server, refer to the documentation for your operating system.
Operating system support
You can only install Edge Processors on Linux servers that are on kernel version 4.9.x and higher. The following Linux distributions are supported:
- Amazon Linux 2
- Debian 10 and 11
- Red Hat Enterprise Linux (RHEL) 8.0 and higher
- SUSE Linux Enterprise 15.0 and higher
- Ubuntu 20.04 LTS and 22.04 LTS
Permissions requirements
Generally, you don't need root permissions to install and use an Edge Processor instance.
However, be aware that on Linux systems, port numbers lower than 1024 are privileged ports that require additional permissions in order to be bound. If you plan to configure your Edge Processors to use a port number lower than 1024 to listen for incoming data, then you must grant your Edge Processor instances the capability to bind to privileged ports, such as by running the instances with root permissions.
Network requirements
Configure your firewall settings and the ports on your host machines to allow your Edge Processors to communicate with data sources, data destinations, the Edge Processor cloud service, and your Splunk platform deployment.
Firewall settings
The Edge Processors in your network must be able to communicate with the following external resources:
- The Edge Processor service in the cloud
- Any Splunk Cloud Platform deployments that are used as data destinations, including the deployment that is paired with your cloud tenant
- Services that Splunk uses to monitor the health of the Edge Processor solution and detect any unexpected disruptions in the service
Splunk collects information pertaining to the operational status of each Edge Processor. This includes information such as the amount of data that is being sent through the Edge Processors, as well as logs that track any events, warnings, or errors that have occurred.
This collected data only contains information pertaining to the operational status of the Edge Processors. It does not contain any of the actual data that you are ingesting and processing through Edge Processors.
To allow your Edge Processors to communicate with these external resources, make sure that your firewall allows access to the following URLs:
External resource | URLs |
---|---|
The Edge Processor service in the cloud | Allow access to these URLs, where <tenant> is the name of your cloud tenant:
|
The Splunk Cloud Platform deployment that is paired with your cloud tenant, as well as any deployments that are used as data destinations | For each deployment, allow access to the following URL, where <deployment_name> is the name of the Splunk Cloud Platform deployment:
|
Services that Splunk uses to monitor the health of the Edge Processor solution | Allow access to these URLs:
|
localhost ports
Edge Processors use the following ports associated with localhost
or IP address 127.0.0.1 to support internal processes. Make sure that these ports are open for local loopback on the host machines where you're installing your Edge Processors.
You don't need to expose these ports to external traffic.
Port | Details |
---|---|
1777 | Edge Processors use port 1777 to send logs to the edge_diagnostic tool.
|
8888 | Edge Processors use port 8888 to send application health metrics to internal dashboards used by Splunk Support. |
Inbound ports
Edge Processors use inbound ports to listen for data from data sources. Make sure that these ports are available and that your network policy allows them to be opened to incoming external traffic.
You can choose which port numbers to use for each supported type of inbound data. For more information, see Configure shared Edge Processor settings.
By default, Edge Processors are configured to use the following inbound ports to receive data:
Port | Type of data received |
---|---|
8088 | Data that's transmitted through HTTP Event Collector (HEC) |
9997 | Data from Splunk forwarders |
Edge Processors support the ingestion of syslog data, but do not have a default inbound port configured for it. You must choose the port number for receiving syslog data. See Configure a port for receiving syslog data.
Outbound ports
Edge Processors use outbound ports to communicate with other components in your Splunk platform deployment and with external destinations. Make sure that these ports are available and that your network policy allows them to be opened to outgoing external traffic.
Port | Details |
---|---|
443 | Edge Processors use port 443 to do the following:
|
9997 | By default, Edge Processors use port 9997 to do the following:
|
If your Splunk platform deployments use ports other than 9997 to listen for incoming data, then you must configure your Edge Processors to use those ports instead and make sure that those ports are available.
- During the first-time setup process, you connect your tenant to a Splunk Cloud Platform deployment. The listening ports used by the indexers in that deployment determine which ports your Edge Processors use to send internal logs. For more information, see First-time setup instructions for the Edge Processor solution.
- To configure the port that an Edge Processor uses to send data to Splunk Enterprise or Splunk Cloud Platform, start by adding a Splunk platform destination that specifies the correct port number. Then, use that destination in a pipeline and apply the pipeline to your Edge Processor. See Send data from Edge Processors to non-connected Splunk platform deployments using S2S and Send data from Edge Processors to non-connected Splunk platform deployments using HEC for more information.
How the Edge Processor solution transforms data | Set up an Edge Processor |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!