Verify your Edge Processor and pipeline configurations
Your Edge Processor starts processing and routing your data after you've completed the following steps:
- Set up an Edge Processor.
- Configure event breaking for your data. You can skip this step if the source type of the data that you want to process is already configured with the appropriate event-breaking definitions in the Edge Processor service.
- Add a destination to route your data. You can skip this step if you want to route data to the Splunk Cloud Platform deployment connected to the tenant.
- Create and apply at least one pipeline to the Edge Processor.
- Configure at least one data source to send data to the Edge Processor. See Get data from a forwarder into an Edge Processor or Get data into an Edge Processor using HTTP Event Collector.
After you complete these steps, the Edge Processor processes data and sends it to a destination based on the data processing instructions defined in the applied pipelines.
To confirm that data is actually flowing through your Edge Processor, you can view the inbound and outbound data metrics of the Edge Processor. As an additional confirmation step, you can verify your data at its destination. For example, you can search an index to confirm that your data is reaching that index as expected. See the sections that follow for more detailed guidance on verifying that your Edge Processor is working as expected.
View the inbound and outbound data metrics of an Edge Processor
In the Edge Processor service, you can open a detailed view of your Edge Processor that displays information such as the amount of data that your Edge Processor is receiving and sending out to destinations.
- Navigate to the Edge Processors page.
- In the row that lists your Edge Processor, select the Actions icon () and then select Open.
- View the Inbound data and Outbound data values to confirm that data is flowing through your Edge Processor.
If the data flow metrics do not match what you expect, then verify your configurations. See Confirming and troubleshooting your configurations.
Search for your data in the destination index
Use Splunk Cloud Platform to search for the data that you sent through your Edge Processor.
- Log in to the Splunk platform deployment that you configured your Edge Processor to send data to.
- From the Apps panel in Splunk Web, select Search & Reporting.
- Search the destination index to confirm that it contains the expected events. For example, if you configured your Edge Processor to send data to an index named
my_index
, then use the following search criteria to find your data:index="my_index"
If your processed data is not showing up at its destination as expected, then verify your configurations. See Confirming and troubleshooting your configurations.
Confirming and troubleshooting your configurations
If you encounter unexpected results or behavior while using the Edge Processor solution, make sure that your data source, source type, Edge Processor, pipeline, and destination are configured correctly. Specifically, verify the following:
- If you're working with data from a Splunk forwarder, make sure that the forwarder is configured to send data to the Edge Processor. Additionally, make sure that the forwarder doesn't use any advanced routing or filtering configurations that would prevent data from being sent to the Edge Processor. See the troubleshooting guidance for An Edge Processor is not receiving data from a forwarder for more information.
- If you're working with data that is transmitted through HTTP Event Collector (HEC), make sure that the HTTP requests for sending the data are formatted correctly. See Send data to an Edge Processor using HEC for more information.
- The source type of the data that you want to process is listed on the Source types page in the Edge Processor service, and this source type is configured with the appropriate event-breaking definitions.
When a source type configuration is opened for editing, you can generate a preview that confirms how that configuration breaks and merges the inbound data stream into events. See Getting sample data for previewing data transformations and Add a source type for more information.
- Your Edge Processor has at least one instance that is in the Healthy status. See Troubleshoot the Edge Processor solution for information about fixing instances that are in other statuses.
- Your pipeline is configured correctly. Make sure that your pipeline isn't filtering out data that you want to keep.
When your pipeline is opened for editing, you can generate a preview for each destination to confirm how your pipeline processes data. See Getting sample data for previewing data transformations and Create pipelines for Edge Processors for more information.
- The destination used by your pipeline is configured with the correct connection settings and credentials.
- If you're sending data from an Edge Processor to the Splunk platform through HEC, make sure that your HEC token and index configurations are not being overridden by a configuration that's higher in the precedence order. See Precedence order of HEC tokens and metadata field values for more information.
If the problems persist, do the following:
- Review the logs for your Edge Processor and the associated supervisor to identify the cause of the problem. See View logs for the Edge Processor solution.
- Review the troubleshooting documentation for potential solutions or workarounds. See Troubleshoot the Edge Processor solution.
Send data from Edge Processors to Amazon S3 | View data flow information about an Edge Processor |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406
Feedback submitted, thanks!