Splunk Cloud Platform

Use Ingest Processors

Sending data from Ingest Processor to Splunk Cloud Platform

You can send data from Ingest Processor to the Splunk Cloud Platform deployment that is connected to the Ingest Processor service.

During the first-time setup process for the Ingest Processor solution, the Ingest Processor solution is connected to a Splunk Cloud Platform deployment. Due to this connection, the indexes and indexers associated with this deployment are already available as data destinations for Ingest Processor pipelines. You can create a pipeline to send data to this connected Splunk Cloud Platform deployment using the Splunk-to-Splunk (S2S) protocol. For more information, see Send data from Ingest Processor to the Splunk Cloud Platform deployment connected to your tenant.

How does Ingest Processor know which index to send data to?

When you send data from Ingest Processor to Splunk Cloud Platform, the destination index is determined by the following precedence order of configurations:

Configuration Description
The SPL2 statement of the pipeline If the pipeline contains an eval command that sets the index field to a specific value, then Ingest Processor sends data to the specified index.


For example, if you apply the following pipeline, then the Ingest Processor solution sends data to an index called AppLogEvents:
$pipeline = | from $source | eval index="AppLogEvents" | into $destination;


You can add this command by specifying a target index during pipeline creation or by selecting the Target index action when editing a pipeline. See the Create pipelines for Ingest Processor topic in this manual for more information.

The metadata in the event payload If the event contains metadata that specifies an index, then Ingest Processor sends the event to that index.


The index in the event metadata can be set through various methods as the event travels from the original data source to Ingest Processor. For example:

  • If the data comes from a Splunk forwarder, then the index value in the inputs.conf file specifies the index in the event metadata.
  • If the data comes from a HTTP Event Collector (HEC) data source, then the index parameter in the HTTP request specifies the index in the event metadata.
None of the previously described configurations specify an index Ingest Processor sends data to the default index of the Splunk platform deployment, which is typically main. See Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin Manual for more information.

If the destination index determined by this precedence order does not exist in the Splunk Cloud Platform deployment, then one of the following outcomes occur:

  • If the lastChanceIndex property is configured in the Splunk Cloud Platform deployment, then the data goes to the index specified by that property.
  • If the lastChanceIndex property is not configured, then the data is dropped.

For more information about the lastChanceIndex property, see indexes.conf in the Splunk Enterprise Admin Manual.

Last modified on 02 August, 2024
Add or manage destinations   Send data from Ingest Processor to the Splunk Cloud Platform deployment connected to your tenant

This documentation applies to the following versions of Splunk Cloud Platform: 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters