Splunk Cloud Platform

Use Edge Processors

Verify your Edge Processor and pipeline configurations

Your Edge Processor starts processing and routing your data after you've completed the following steps:

After you complete these steps, the Edge Processor processes data and sends it to a destination based on the data processing instructions defined in the applied pipelines.

To confirm that data is actually flowing through your Edge Processor, you can view the inbound and outbound data metrics of the Edge Processor. As an additional confirmation step, you can verify your data at its destination. For example, you can search an index to confirm that your data is reaching that index as expected. See the sections that follow for more detailed guidance on verifying that your Edge Processor is working as expected.

View the inbound and outbound data metrics of an Edge Processor

In the Edge Processor service, you can open a detailed view of your Edge Processor that displays information such as the amount of data that your Edge Processor is receiving and sending out to destinations.

  1. Navigate to the Edge Processors page.
  2. In the row that lists your Edge Processor, select the Actions icon (Image of the Actions icon) and then select Open.
  3. View the Inbound data and Outbound data values to confirm that data is flowing through your Edge Processor.

If the data flow metrics do not match what you expect, then verify your configurations. See Confirming and troubleshooting your configurations.

Search for your data in the destination index

Use Splunk Cloud Platform to search for the data that you sent through your Edge Processor.

  1. Log in to the Splunk platform deployment that you configured your Edge Processor to send data to.
  2. From the Apps panel in Splunk Web, select Search & Reporting.
  3. Search the destination index to confirm that it contains the expected events. For example, if you configured your Edge Processor to send data to an index named my_index, then use the following search criteria to find your data:

    index="my_index"

If your processed data is not showing up at its destination as expected, then verify your configurations. See Confirming and troubleshooting your configurations.

Confirming and troubleshooting your configurations

If you encounter unexpected results or behavior while using the Edge Processor solution, make sure that your data source, source type, Edge Processor, pipeline, and destination are configured correctly. Specifically, verify the following:

  • If you're working with data from a Splunk forwarder, make sure that the forwarder is configured to send data to the Edge Processor. Additionally, make sure that the forwarder doesn't use any advanced routing or filtering configurations that would prevent data from being sent to the Edge Processor. See the troubleshooting guidance for An Edge Processor is not receiving data from a forwarder for more information.
  • If you're working with data that is transmitted through HTTP Event Collector (HEC), make sure that the HTTP requests for sending the data are formatted correctly. See Send data to an Edge Processor using HEC for more information.
  • The source type of the data that you want to process is listed on the Source types page in the Edge Processor service, and this source type is configured with the appropriate event-breaking definitions.

    When a source type configuration is opened for editing, you can generate a preview that confirms how that configuration breaks and merges the inbound data stream into events. See Getting sample data for previewing data transformations and Add a source type for more information.

  • Your Edge Processor has at least one instance that is in the Healthy status. See Troubleshoot the Edge Processor solution for information about fixing instances that are in other statuses.
  • Your pipeline is configured correctly. Make sure that your pipeline isn't filtering out data that you want to keep.

    When your pipeline is opened for editing, you can generate a preview for each destination to confirm how your pipeline processes data. See Getting sample data for previewing data transformations and Create pipelines for Edge Processors for more information.

  • The destination used by your pipeline is configured with the correct connection settings and credentials.
  • If you're sending data from an Edge Processor to the Splunk platform through HEC, make sure that your HEC token and index configurations are not being overridden by a configuration that's higher in the precedence order. See Precedence order of HEC tokens and metadata field values for more information.

If the problems persist, do the following:

Last modified on 26 April, 2024
Send data from Edge Processors to Amazon S3   View data flow information about an Edge Processor

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters