The Ingest Processor solution
This page contains information about new features, known issues, and resolved issues for the Ingest Processor solution, grouped by the release date. The Ingest Processor solution is a service within Splunk Cloud Platform designed to help you manage your data processing configurations and monitor your ingest traffic through a centralized Splunk Cloud service.. Use the Ingest Processor solution to filter, mask, and transform your data before routing the processed data to external environments. For more information, see The Ingest Processor solution.
The release date indicates when updates to the Ingest Processor solution were made available to Splunk Cloud Platform customers. For more information, contact your Splunk account representative.
Use the links to navigate to a specific section:
New features, enhancements, and fixed issues
Splunk Inc. releases frequent updates to the Ingest Processor solution. This list is periodically updated with the latest functionality and changes to the product.
July 17, 2024
The Ingest Processor solution now includes the following new features or enhancements.
| New feature or enhancement | Description |
|---|---|
| Ingest Processor General Availability | The Ingest Processor solution is now publicly available to all Splunk Cloud Platform users. See Get started with the Ingest Processor solution |
| Support for Premier and Essentials tier subscriptions. | The Ingest Processor Essentials tier is included with a Splunk Cloud Platform subscription, and accommodates a maximum Daily Processing Volume of 500 GB/day.
|
| Cloud region availability | Ingest Processor is available in the following cloud regions:
|
May 14, 2024
The Ingest Processor solution now includes the following new features or enhancements.
| New feature or enhancement | Description |
|---|---|
Support for the branch SPL2 command
|
You can now use the branch command to process and route copies of the incoming data in different ways.
|
April 15, 2024
The Ingest Processor solution now includes the following new features or enhancements.
| New feature or enhancement | Description |
|---|---|
| Cloud region availability | Ingest Processor is now available in the following cloud regions:
|
April 4, 2024
The Ingest Processor solution now includes the following new features or enhancements.
| New feature or enhancement | Description |
|---|---|
Support for the mvappend and mvdedup SPL2 functions
|
You can now use the following evaluation functions in pipelines for the Ingest Processor:
See SPL2 evaluation functions for Ingest Processor pipelines for more information. |
March 26, 2024
The Ingest Processor solution now includes the following new features or enhancements.
| New feature or enhancement | Description |
|---|---|
| Updated workflow for configuring hashing functions | You can now use the Compute hash of action in the pipeline builder to add and configure hashing functions in your pipelines.
|
February 20, 2024
This is the first publicly available preview of the Ingest Processor solution. The following functionalities are available within this public preview to capture feedback from early adopters of Ingest Processor:
- Set up the Ingest Processor solution. See First-time setup instructions for the Ingest Processor solution.
- Process data using pipelines. See Create pipelines for Ingest Processors.
- Write metrics to Splunk Observability Cloud using pipelines. See Generate logs into metrics using Ingest Processor.
- Route data using pipelines. See Process a subset of data using Ingest Processor.
- View and configure destinations to route data to, including Splunk platform deployments, Splunk Observability Cloud environments, and Amazon S3 buckets. See Add or manage destinations.
- View the health status and data flow metrics of an Edge Processor. See View data flow information about Ingest Processor.
Known issues
The Ingest Processor solution is subject to the following limitations.
Browsers
Multiple browser sessions are not supported since it is possible for users to try to edit the same pipeline in more than one browser session and make conflicting edits.
Ingest Processors
The following limitations exist for Ingest Processors:
Ingest Processors provide no data delivery guarantees. Data loss can occur if an Ingest Processor experiences high back pressure on connections to destinations, or when a data destination has a prolonged outage.
- Only Splunk Cloud tenant administrators can create and view Ingest Processor pipelines.
Forwarders
The following limitations exist for forwarders:
- The
useACKproperty in outputs.conf must be disabled in forwarders that are sending data to Ingest Processor pipelines.
HTTP Event Collector (HEC)
When you receive data through HEC, the Enable indexer acknowlIngestment setting on the HEC token must be turned off.
Lookups
CIDR matching is not supported. When configuring your lookup definition, make sure that the Match type advanced option is not set to CIDR.
Metrics
Historical metrics presented in the detailed view of an Ingest Processor pipeline does not include metrics for deleted pipelines.
Pipelines
The following limitations exist for pipelines:
- Only tenant administrators can create, edit, delete, apply, or remove pipelines.
- Some SPL2 functions work differently in Ingest Processor pipelines than they do in searches. For example, regular expressions in functions are interpreted differently because Ingest Processor pipelines support Regular Expression 2 (RE2) syntax while Splunk searches support Perl Compatible Regular Expressions (PCRE) syntax. See Ingest Processor pipeline syntax for more information.
Splunk Cloud Experience tenants
When you go through the first-time setup process for the Ingest Processor solution, you create a connection between your Splunk Cloud Experience tenant and your Splunk Cloud Platform deployment. This connection enables the tenant to surface specific indexes from that deployment as pipeline destinations.
The following limitations exist for this initial connection between your Splunk Cloud Experience tenant and your Splunk Cloud Platform deployment:
- You cannot connect your tenant to more than one Splunk Cloud Platform deployment using this method. To send data from a pipeline to an index that belongs to a different Splunk Cloud Platform deployment, you must configure a destination that corresponds to the indexer tier of that deployment and then include an
evalexpression that specifies the target index in your pipeline. - If you create additional indexes in your Splunk Cloud Platform deployment after completing the first-time setup process, you must refresh the connection in order to make those indexes available in the tenant.
| The Edge Processor solution |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.1.2308 (latest FedRAMP release), 9.1.2312, 9.2.2403
Download manual
Feedback submitted, thanks!