Splunk Cloud Platform

Use Edge Processors

Configure shared Edge Processor settings

The Edge Processor service supports several configuration settings that apply to all Edge Processors that are part of the same cloud tenant. These settings determine behavior such as which port your Edge Processors uses to listen for incoming data, and the amount of computing resources that an Edge Processor can use before warnings are raised.

Your updated settings are applied to all current Edge Processors after selecting Save. Additionally, your updated settings are used by default for any new Edge Processors that you set up afterwards.

Port limitations

On Linux machines, ports with numbers lower than 1024 are restricted ports that cannot be used without root permissions. When specifying the ports that your Edge Processors use to listen for incoming data, make sure to use port number 1024 or higher.

If you want to use a port number lower than 1024, then you must grant your Edge Processors the ability to bind to privileged ports, such as by setting up your Edge Processors to run with root permissions. If you already have Edge Processor instances running without root permissions, then you can either reinstall them with root permissions or use the iptables utility to route the data from the privileged port to a non-privileged port.

For more information, see these pages:

Steps

  1. Select Edge Processors, then select Shared settings.
  2. To specify the amount of computing resources that an Edge Processor can use before it enters a Warning state due to high resource usage, do the following:
    1. Select the Other settings tab, then select Edit.
    2. Configure the following settings:
      Field Description
      CPU threshold The percentage of the total allocated CPU processing power that an Edge Processor can use before a warning is raised
      Memory threshold The percentage of the total allocated memory that an Edge Processor can use before a warning is raised
    3. Select Save. For other shared settings, select the Receiver settings tab.
  3. To specify how Edge Processors receive data from universal and heavy forwarders, do the following:
    1. In the Splunk forwarders section, select Edit.
    2. Configure the following:
      Field Description
      Port The number of the TCP port used to receive data from forwarders
      Maximum channels The number of channels an Edge Processor can use to receive data from forwarders
    3. Select Save.
  4. To specify the port that Edge Processors use to receive data from HTTP clients and logging agents through HTTP Event Collector (HEC), in the HTTP Event Collector section, do the following:
    1. In the Port settings area, select Edit.
    2. Enter your desired port number in the Port field and then select Save.
  5. To secure the HEC receiver in your Edge Processors by requiring incoming HTTP requests to be authenticated using a HEC token, do the following:
    1. In the Token authentication section, select New token.
    2. In the Add HEC token section, enter your token value in the Token value field.
    3. (Optional) In the Source field enter a source value that you want to assign to the data that is received through this HEC token.
    4. (Optional) In the Source type field enter a sourcetype value that you want to assign to the data that is received through this HEC token.
    5. Select Add.

    When token authentication is turned on, data sources can only send data to the Edge Processor through HEC if the HTTP request includes a matching HEC token. The token authentication feature is activated when at least one HEC token is added. If you want to deactivate the token authentication feature, you must delete all added tokens. See the following for more information:


  6. To specify the port that Edge Processors use to receive data from syslog data sources, do the following:
    1. In the Syslog section, select New Port.
    2. Configure the following:
      Field Description
      Port The number of the TCP or UDP port used to receive data from forwarders
      Source type The metadata assigned to incoming syslog data to allow pipeline processing
      RFC protocol The standard that defines the format of your syslog data
    3. Select Save.
  7. (Optional) If your syslog data uses the RFC 3164 protocol and does not have a time zone assigned to it, you can optionally configure your Edge Processor to assign it to a different time zone. To configure the time zone of your syslog data in the Edge Processor, do the following:
    1. In the Time zone for syslog data section, select Edit.
    2. Select your desired time zone assignment.
    3. Select Save.
  8. If you changed any of the Port settings, make sure to update the configurations of your data sources to account for the updated port number. Review and update these configurations as needed:
    Type of data source Configuration instructions
    Splunk forwarders In the outputs.conf file, make sure that the server property specifies the correct port number.
    HTTP clients or logging agents using HTTP Event Collector (HEC) Make sure that the HTTP requests for sending data to the Edge Processor are directed to the correct port number.


    If your HTTP requests are directed to a load balancer, make sure that the load balancer is configured to pass the requests to the correct port number.

    Syslog devices Make sure that the syslog requests for sending data to the Edge Processor are directed to the correct port number.
Last modified on 12 December, 2024
Manage and uninstall Edge Processors   Edge Processor pipeline syntax

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters