Splunk Cloud Platform

Use Edge Processors

Installation requirements for Edge Processors

Before installing an Edge Processor, make sure that the host that you're installing on meets the following requirements. Meeting these requirements and addressing issues arising from the host environment, including the hardware, operating system and network, is your responsibility.

This is step 1 of 6 for using an Edge Processor to process data and route it to a destination. To see an overview of all of the steps, see Quick start: Process and route data using Edge Processors.

This diagram shows an overview of the steps required to set up and use an Edge Processor.

Hardware requirements

The host machine where you want to install an Edge Processor must meet the following system requirements.

Hardware Specifications
CPU 2 vCPUs
CPU architecture x86 (64-bit)
Memory 2 GB, assuming that 1 GB from this amount is used to run the operating system.
Disk space 20 GB, assuming that the Edge Processor is configured to send data to 1 destination.


If the Edge Processor is configured to send data to multiple destinations, allocate an additional 5 GB of disk space per destination.

To prevent data loss, Edge Processors store queued data on the hard drive of the host as needed.

To improve the performance of the Edge Processor, allocate resources beyond these minimum requirements.

Software requirements

The host machine where you want to install an Edge Processor instance cannot already have another Edge Processor instance installed on it. You must install each Edge Processor instance on a different machine.

Additionally, the system clock of the host machine must be synchronized with a Network Time Protocol (NTP) server. If the system time is incorrect, this can cause the Edge Processor installation to fail due to prematurely expired security tokens. For information about how to synchronize the system clock to an NTP server, refer to the documentation for your operating system.

Operating system support

You can only install Edge Processors on Linux servers that are on kernel version 4.9.x and higher. The following Linux distributions are supported:

  • Amazon Linux 2
  • Debian 10 and 11
  • Red Hat Enterprise Linux (RHEL) 8.0 and higher
  • SUSE Linux Enterprise 15.0 and higher
  • Ubuntu 20.04 LTS and 22.04 LTS

Permissions requirements

Generally, you don't need root permissions to install and use an Edge Processor instance.

However, be aware that on Linux systems, port numbers lower than 1024 are privileged ports that require additional permissions in order to be bound. If you plan to configure your Edge Processors to use a port number lower than 1024 to listen for incoming data, then you must grant your Edge Processor instances the capability to bind to privileged ports, such as by running the instances with root permissions.

Network requirements

Configure your firewall settings and the ports on your host machines to allow your Edge Processors to communicate with data sources, data destinations, the Edge Processor cloud service, and your Splunk platform deployment.

Firewall settings

The Edge Processors in your network must be able to communicate with the following external resources:

  • The Edge Processor service in the cloud
  • Any Splunk Cloud Platform deployments that are used as data destinations, including the deployment that is paired with your cloud tenant
  • Services that Splunk uses to monitor the health of the Edge Processor solution and detect any unexpected disruptions in the service

Splunk collects information pertaining to the operational status of each Edge Processor. This includes information such as the amount of data that is being sent through the Edge Processors, as well as logs that track any events, warnings, or errors that have occurred.

This collected data only contains information pertaining to the operational status of the Edge Processors. It does not contain any of the actual data that you are ingesting and processing through Edge Processors.

To allow your Edge Processors to communicate with these external resources, make sure that your firewall allows access to the following URLs:

External resource URLs
The Edge Processor service in the cloud Allow access to these URLs, where <tenant> is the name of your cloud tenant:
  • https://<tenant>.api.scs.splunk.com
  • https://<tenant>.auth.scs.splunk.com
  • https://auth.scs.splunk.com
  • https://beam.scs.splunk.com
The Splunk Cloud Platform deployment that is paired with your cloud tenant, as well as any deployments that are used as data destinations For each deployment, allow access to the following URL, where <deployment_name> is the name of the Splunk Cloud Platform deployment:


*.<deployment_name>.splunkcloud.com

Services that Splunk uses to monitor the health of the Edge Processor solution Allow access to these URLs:
  • https://dataeng-data-cmp-prod.s3.us-east-1.amazonaws.com
  • https://http-inputs-products-telemetry.splunkcloud.com
  • https://telemetry-splkmobile.dataeng.splunk.com

localhost ports

Edge Processors use the following ports associated with localhost or IP address 127.0.0.1 to support internal processes. Make sure that these ports are open for local loopback on the host machines where you're installing your Edge Processors.

You don't need to expose these ports to external traffic.

Port Details
1777 Edge Processors use port 1777 to send logs to the edge_diagnostic tool.


You can run the edge_diagnostic tool manually and locally on the host machine of the Edge Processor. The tool compiles information from Edge Processor logs, but does not expose any information externally. For more information, see Generate a diagnostic report for an Edge Processor instance.

8888 Edge Processors use port 8888 to send application health metrics to internal dashboards used by Splunk Support.

Inbound ports

Edge Processors use inbound ports to listen for data from data sources. Make sure that these ports are available and that your network policy allows them to be opened to incoming external traffic.

You can choose which port numbers to use for each supported type of inbound data. For more information, see Configure shared Edge Processor settings.

By default, Edge Processors are configured to use the following inbound ports to receive data:

Port Type of data received
8088 Data that's transmitted through HTTP Event Collector (HEC)
9997 Data from Splunk forwarders

Edge Processors support the ingestion of syslog data, but do not have a default inbound port configured for it. You must choose the port number for receiving syslog data. See Configure a port for receiving syslog data.

Outbound ports

Edge Processors use outbound ports to communicate with other components in your Splunk platform deployment and with external destinations. Make sure that these ports are available and that your network policy allows them to be opened to outgoing external traffic.

Port Details
443 Edge Processors use port 443 to do the following:
  • Connect instances to the Edge Processor service managed by Splunk.
  • Send data to Amazon S3.
9997 By default, Edge Processors use port 9997 to do the following:
  • Send internal logs to the Splunk Cloud Platform deployment that's connected to the tenant.
  • Send data to Splunk Enterprise and Splunk Cloud Platform.

If your Splunk platform deployments use ports other than 9997 to listen for incoming data, then you must configure your Edge Processors to use those ports instead and make sure that those ports are available.

Last modified on 12 December, 2024
How the Edge Processor solution transforms data   Set up an Edge Processor

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters