Splunk Cloud Platform

Use Edge Processors

Send data from Edge Processors to non-connected Splunk platform deployments using S2S

When sending data from an Edge Processor to a Splunk Enterprise deployment or a Splunk Cloud Platform deployment that is not connected to your tenant, you can choose to send that data using the Splunk-to-Splunk (S2S) protocol. S2S is the proprietary, TCP-based data transmission protocol used between Splunk software.

Start by adding a Splunk platform S2S destination in the Edge Processor service. You can configure the destination to send data to one or more indexers that are part of the same Splunk platform deployment. Then, create a pipeline that uses that destination. When you apply that pipeline to your Edge Processor, the Edge Processor starts sending the data that it receives to your Splunk platform deployment.

The specific index that the data from an Edge Processor gets routed to is determined by a precedence order of configurations. For more information, see Index precedence order when using S2S.

You can also send data using the HTTP Event Collector (HEC) instead of S2S, or send data to the Splunk Cloud Platform deployment that is connected to your tenant without needing to add any destinations. For more information, see Sending data from Edge Processors to Splunk Cloud Platform or Splunk Enterprise.

Prerequisites

Before you can add a destination that sends data to the Splunk platform using S2S, you must do the following:

  • Make note of the following information for each of the indexers that you want to send data to:
    • The IP address or host name
    • The number of the port used to receive data
  • If you're sending data to an indexer that has the requireClientCert property set to true in the inputs.conf file, that means the indexer uses mutually authenticated TLS (mTLS) for S2S connections and requires connecting clients to authenticate themselves using TLS certificates. In this case, you must obtain the certificates for proving the Edge Processor's identity. See Obtaining TLS certificates in this topic for more information.

    Splunk Cloud Platform indexers always require mTLS for S2S connections.

Obtaining TLS certificates

If you're sending data to an indexer that uses mTLS, then you need to have TLS certificates that the Edge Processor can use to prove its identity to the indexer. You must upload these certificates when configuring the destination in the Edge Processor service.

TLS requirements when connecting to Splunk Cloud Platform

Your Edge Processor must prove its identity using the TLS certificates provided in the universal forwarder credentials package. You can download this package from your Splunk Cloud Platform deployment by doing the following:

  1. In the Splunk Web interface for your Splunk Cloud Platform deployment, select Apps, then Universal Forwarder.
  2. Select Download Universal Forwarder Credentials.

Note the location of the credentials file. The credentials file is named splunkclouduf.spl.

TLS requirements when connecting to Splunk Enterprise

Your Edge Processor must prove its identity using the following TLS certificates, contained in separate Privacy Enhanced Mail (PEM) files:

  • A client certificate.
  • The private key associated with that client certificate. This private key must be decrypted.
  • The CA certificates used to verify the indexer.

If you don't have these PEM files, ask your Splunk Enterprise administrator for assistance. See the Secure Splunk platform communications with Transport Layer Security certificates chapter of the Securing Splunk Enterprise manual for more information.

Add a Splunk platform S2S destination

  1. In the Edge Processor service, select Destinations.
  2. On the Destinations page, select New destination, then Splunk platform using S2S.
  3. Provide a name and description for your destination.
    Field Description
    Name A unique name for your destination
    Description (Optional) A description of your destination
  4. In the Indexers field, enter the host and port information of an indexer that you want to send data to using the format <ip_address>:<port> or <hostname>:<port>. You can enter information for multiple indexers by selecting Add another.
  5. If your indexer requires mTLS, then do the following:
    1. Select Authenticate identity using TLS certificates.
    2. Set Platform to the type of Splunk platform deployment you want to send data to.
    3. Provide the necessary certificates:
      • If you set Platform to Splunk Cloud Platform, then in the Universal forwarder credentials field, upload the splunkclouduf.spl file that you downloaded from your Splunk Cloud Platform deployment.
      • If you set Platform to Splunk Enterprise, then upload the appropriate private key and certificates in these fields:
        Field Description
        Client private key A PEM file containing the decrypted private key associated with your client certificate
        Client certificate A PEM file containing a client certificate
        CA certificates The CA certificates used to verify the indexer
  6. To finish adding the destination, select Add.

You now have a destination that you can use to send data from an Edge Processor to one or more Splunk indexers.

To start sending data from an Edge Processor to the indexers specified in the destination, create a pipeline that uses the destination you just added and then apply that pipeline to your Edge Processor. For more information, see Create pipelines for Edge Processors and Apply pipelines to Edge Processors.

Last modified on 19 September, 2024
Send data from Edge Processors to the Splunk Cloud Platform deployment connected to your tenant   Send data from Edge Processors to non-connected Splunk platform deployments using HEC

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters