Splunk Cloud Platform

Use Ingest Processors

Use templates to create pipelines for Ingest Processor

To help you get started on creating and using pipelines, the Ingest Processor service includes sample pipelines called templates. Templates are Splunk-built pipelines that are designed to work with specific data sources and use cases. For example, the Linux Audit template takes linux_audit logs and extracts common fields. Templates include sample data and preconfigured SPL2 statements, so you can use them as a starting point to build custom pipelines to solve specific use cases or as a reference to learn how to write SPL2 to build pipelines.

To view a list of the available pipeline templates, log in to your tenant, navigate to the Pipelines page, and then select Templates. Available templates for Ingest Processor include the following use cases and data types:

Use case Data type
  • Extract fields and filter
  • Generate metrics from logs
  • Mask IP addresses
  • Cisco ASA syslog data
  • linux_audit logs
  • linux_secure logs
  • Palo Alto Network traffic logs
  • Palo Alto Networks PAN-OS syslog data
  • Prometheus-formatted Kubernetes logs
  • Syslog data
  • systemd logs
  • Windows DHCP events
  • Windows application events
  • Windows security logs
  • UNIX and Linux process status logs

To create a pipeline using a template, complete the following steps.

Prerequisites

Before starting to create a pipeline, make sure that the destination that you want the pipeline to send data to is listed on the Destinations page of your tenant. If your destination is not listed on that page, then you must add that destination to your tenant. See Add or manage destinations for more information.

Steps

  1. Navigate to the Pipelines page, and then select New pipeline then Ingest Processor pipeline.
  2. On the Get started page, select the template that you want to use from the list of available templates, then click Next.
  3. On the Define your pipeline's partition page, do the following:
    1. Select how you want to partition your incoming data that you want to send to your pipeline. You can partition by source type, source, and host.
    2. Enter the conditions for your partition, including the operator and the value. Your pipeline will receive and process the incoming data that meets these conditions.
    3. Select Next to confirm the pipeline partition.
  4. On the Add sample data page, do the following. If your template includes sample data, skip these steps.
    1. Enter or upload sample data for generating previews that show how your pipeline processes data. The sample data must contain accurate examples of the values that you want to extract into fields. For example, the following sample events represent purchases made at a store at a particular time: E9FF471F36A91031FE5B6D6228674089, 72E0B04464AD6513F6A613AABB04E701, Credit Card, 7.7, 2023-01-13 04:41:00, 2023-01-13 04:45:00, -73.997292, 40.720982, 4532038713619608 A5D125F5550BE7822FC6EE156E37733A, 08DB3F9FCF01530D6F7E70EB88C3AE5B, Credit Card,14, 2023-01-13 04:37:00, 2023-01-13 04:47:00, -73.966843,40.756741, 4539385381557252 1E65B7E2D1297CF3B2CA87888C05FE43,F9ABCCCC4483152C248634ADE2435CF0, Game Card, 16.5, 2023-01-13 04:26:00, 2023-01-13 04:46:00, -73.956451, 40.771442
    2. Select Next to confirm the sample data that you want to use for your pipeline.
  5. On the Select a metrics destination page, select the name of the destination that you want to send metrics to.
  6. (Optional) If you selected Splunk Metrics store as your metrics destination, specify the name of the target metrics index where you want to send your metrics.
  7. On the Select a data destination page, select the name of the destination that you want to send logs to.
  8. (Optional) If you selected a Splunk platform destination, you can configure index routing:
    1. Select one of the following options in the expanded destinations panel:
      Option Description
      Default The pipeline does not route events to a specific index.


      If the event metadata already specifies an index, then the event is sent to that index. Otherwise, the event is sent to the default index of the Splunk Cloud Platform deployment.

      Specify index for events with no index The pipeline only routes events to your specified index if the event metadata did not already specify an index.
      Specify index for all events The pipeline routes all events to your specified index.
    2. If you selected Specify index for events with no index or Specify index for all events, then from the Index name drop-down list, select the name of the index that you want to send your data to.
      If your desired index is not available in the drop-down list, then confirm that the index is configured to be available to the tenant and then refresh the connection between the tenant and the Splunk Cloud Platform deployment. For detailed instructions, see Make more indexes available to the tenant.

    9. If you're sending data to a Splunk Cloud Platform deployment, be aware that the destination index is determined by a precedence order of configurations. See How does Ingest Processor know which index to send data to? for more information

  9. Select Done to confirm the data destination.
    The pipeline builder displays the pipeline that you've just created based on the selected template and configuration options. You can review the comments in the pipeline editor to learn more about what the pipeline will do to the sample data.
  10. To save your pipeline, do the following:
    1. Select Save pipeline.
    2. In the Name field, enter a name for your pipeline.
    3. (Optional) In the Description field, enter a description for your pipeline.
    4. Select Save. The pipeline is now listed on the Pipelines page, and you can now apply it, as needed.
  11. To apply this pipeline, do the following:
    1. Navigate to the Pipelines page.
    2. In the row that lists your pipeline, select the Actions icon (Image of the Actions icon), and then select Apply/Remove.
    3. Select the pipelines that you want to apply, and then select Save. It can take a few minutes to finish applying your pipeline. During this time, all applied pipelines enter the Pending status.
    4. (Optional) To confirm that the Ingest Processor has finished applying your pipeline, navigate to the Ingest Processor page and check if all affected pipelines have returned to the Healthy status.

The pipeline that you applied can now process the data it receives based on the processing instructions defined in the template.

Last modified on 10 September, 2024
Keyboard shortcuts for Ingest Processor   Getting sample data for previewing data transformations

This documentation applies to the following versions of Splunk Cloud Platform: 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406, 9.3.2408 (latest FedRAMP release), 9.3.2411

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters