Send data from Edge Processors to the Splunk Cloud Platform deployment connected to your tenant
As part of the first-time setup process for the Edge Processor solution, you created a connection between your cloud tenant and your Splunk Cloud Platform deployment. You can use this connection to send data from Edge Processors to the connected Splunk Cloud Platform deployment. To do this, you must create a pipeline that uses a destination that is associated with this connection, and then apply the pipeline to an Edge Processor. If you want to send data to an index that was created after the Splunk Cloud Platform deployment was connected to the tenant, then you might need to refresh the connection before that index becomes available as a destination.
The specific index that the data from an Edge Processor gets routed to is determined by a precedence order of configurations. For more information, see Index precedence order when using S2S.
You can also send data from an Edge Processor to a Splunk platform deployment that is not connected to your tenant. For more information, see Sending data from Edge Processors to Splunk Cloud Platform or Splunk Enterprise.
Prerequisites
Make sure that your Splunk Cloud Platform deployment is connected to your cloud tenant, and that the indexers and indexes from that deployment are available to your tenant.
To verify if this connection has been configured correctly, navigate to the Destinations page and select the Splunk tab. Then, confirm the following:
- Indexers from your Splunk Cloud Platform deployment are available as Splunk platform S2S destinations that have the Tenant paired property. To verify whether a destination has this property, select the destination to open a side panel with configuration details, and then check if the Kind field in the panel includes the Tenant paired tag.
- Indexes from your Splunk Cloud Platform deployment are available to the tenant. To verify this, first select the Splunk platform S2S destination corresponding to your deployment. Then, in the side panel that contains destination details, select View indexes.
If you do not see any destinations that have these characteristics, make sure that you have completed the setup process described in First-time setup instructions for the Edge Processor solution.
If an index that you expect to see is not appearing on the View indexes list, confirm that the index is configured to be available to the tenant and then refresh the connection between the tenant and the Splunk Cloud Platform deployment. For detailed instructions, see the Make more indexes available to the tenant section that follows.
Make more indexes available to the tenant
If any indexes that you want to send data to are not listed on the View indexes list, then complete the following steps to make those indexes available. Otherwise, skip these steps and proceed to Create a pipeline that sends data to the connected Splunk Cloud Platform deployment.
- In your Splunk Cloud Platform deployment, update the role of the service account so that the account can access your indexes:
- Log in using your admin credentials.
- In the Settings menu, in the Users and authentication section, select Roles.
- In the row that lists the role used by your service account, select Edit > Edit.
The role and service account were created during the initial setup of the Edge Processor solution. See First-time setup instructions for the Edge Processor solution for more information.
- On the 3. Indexes tab, select the Included check box for all the indexes that you want to make available.
- Select Save.
- In your cloud tenant, refresh the connection to your Splunk Cloud Platform deployment:
The indexes that you added become available on the View indexes list, and you can now send processed data from Edge Processors to these indexes.
Create a pipeline that sends data to the connected Splunk Cloud Platform deployment
- Navigate to the Pipelines page and then select New pipeline.
- Select Blank pipeline and then select Next.
- Specify a subset of the data received by the Edge Processor for this pipeline to process. To do this, you must define a partition by completing these steps:
- Select the plus icon () next to Partition or select the option that matches how you would like to create your partition in the Suggestions section.
- Select host, source, or sourcetype in the Field field.
- Select an operator in the Operator field.
- Enter the value that your partition should filter by to create the subset in the Value field. Then select Apply. You can create as many conditions for a partition in a pipeline by selecting the plus icon ().
- Once you have defined your partition, select Next.
- (Optional) Enter or upload sample data for generating previews that show how your pipeline processes data.
The sample data must be in the same format as the actual data that you want to process. See Getting sample data for previewing data transformations for more information.
- Select Next to confirm your sample data or to go to the next step.
- Select the name of the destination that you want to send data to.
- (Optional) Configure index routing:
- Select one of the following options in the expanded destinations panel:
Option Description Default The pipeline does not route events to a specific index.
If the event metadata already specifies an index, then the event is sent to that index. Otherwise, the event is sent to the default index of the Splunk platform deployment.Specify index for events with no index The pipeline only routes events to your specified index if the event metadata did not already specify an index. Specify index for all events The pipeline routes all events to your specified index. - If you selected Specify index for events with no index or Specify index for all events, then in the Index name field, select or enter the name of the index that you want to send your data to.
Be aware that the destination index is determined by a precedence order of configurations. See How does an Edge Processor know which index to send data to? for more information.
- Select one of the following options in the expanded destinations panel:
- Select Done to confirm the data destination.
After you complete the on-screen instructions, the pipeline builder displays the SPL2 statement for your pipeline. - Continue modifying the pipeline to fit your specific use case. You can add processing commands to your pipeline by selecting the plus icon () next to Actions and selecting a data processing action, or by typing SPL2 commands and functions directly in the editor. For instructions on creating pipelines for specific use cases, see the following:
- Route internal logs from forwarders using an Edge Processor
- Filter and mask data using an Edge Processor
- Hash fields using an Edge Processor
- Routing data in the same Edge Processor pipeline to different actions and destinations
- Enrich data with lookups using an Edge Processor
- Extract fields from event data using an Edge Processor
- Extract timestamps from event data using an Edge Processor
When you are done modifying the pipeline, save and apply it to an Edge Processor. If you haven't configured any data sources to send data to the Edge Processor yet, then do so. See the Get data into Edge Processors chapter.
Sending data from Edge Processors to Splunk Cloud Platform or Splunk Enterprise | Send data from Edge Processors to non-connected Splunk platform deployments using S2S |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!