Splunk Cloud Platform

Use Ingest Processors

About Ingest Processor

Ingest Processor is a data processing capability that works within your Splunk Cloud Platform deployment. Use the Ingest Processor to configure data flows, control data format, apply transformation rules prior to indexing, and route to destinations.

You can easily deploy and use Ingest Processor since it does not require any additional infrastructure in your Splunk Cloud Platform environment. Ingest Processor will seamlessly scale and adjust your infrastructure resources according to your organization's needs. The Ingest Processor solution also lets you manage your data processing configurations and monitor your data ingest traffic through a centralized Splunk Cloud service.

What is the difference between Ingest Processor and Edge Processor?

See the following table to review the differences between Ingest Processor and Edge Processor.

Features Edge Processor Ingest Processor
Solution description Edge Processor is a Splunk product that allows you to process data using SPL2 before you send that data out of your network to external destinations. You use a Splunk-managed cloud service to deploy and manage on-premises Edge Processors at the edge of your network. Ingest Processor is a Splunk Cloud Platform capability that allows you to process data using SPL2 at the time of data ingestion.
Supported data sources
  • Forwarders
  • HTTP clients and logging applications through the HTTP Event Collector (HEC)
  • Syslog devices
All data sources supported by Splunk Cloud Platform deployments on Victoria Experience.
Where processing takes place At the edge of your network, close to the data source. In Splunk Cloud Platform.
Generate logs into metrics No Yes
Enrich data using lookups Yes No
Routing to Splunk Enterprise indexes Yes No
Routing to Splunk Cloud Platform indexes Yes Yes, but limited to indexes paired on the same Splunk Cloud Platform deployment with Ingest Processor.
Routing to Splunk Observability Cloud No Yes
Data format when routing to Amazon S3 JSON files that use the Splunk HEC schema
  • Parquet files
  • JSON files that use the Splunk HEC schema

For information about the Edge Processor solution, see the Use Edge Processors manual.

Ingest Processor components

The following diagram provides an overview of the components that comprise the Ingest Processor service, and whether each component is hosted in the Splunk Cloud Platform environment or your local environment. See the System architecture section on this page for more information.

This diagram shows how the Ingest Processor service in your Splunk Cloud Platform environment works. Data is generated by a source, collected by agents such as forwarders, sent to the Ingest Processor service for processing, and then routed to a destination.

Get started with the Ingest Processor solution

Before you can start using the Ingest Processor solution, you must gain access to a cloud tenant where the Ingest Processor is available. Ingest Processor is only available on Victoria Experience for Splunk Cloud Platform. No additional cloud computing resources (AWS, Azure, GCP) are needed in order to run Ingest Processor.

Compliance and certifications for Ingest Processor

Ingest Processor is currently restricted from provisioning Payment Card Industry (PCI) compliant stacks.

Splunk Ingest Processor has attained a number of compliance attestations and certifications from industry-leading auditors as part of Splunk's commitment to adhere to industry standards worldwide and Splunk's efforts to safeguard customer data. Generally Available products and features that are currently in scope of Splunk's compliance program may not be a part of the third-party audit report until the next assessment cycle.

  • SOC 1: Service Organization Controls (SOC) compliance is a standardized framework created by the American Institute of Certified Public Accountants (AICPA). It aims to assess service organizations' internal controls, policies and procedures with a focus on controls that impact financial reporting. Splunk Cloud Platform undergoes annual SOC 1 audits to assure the security, availability, processing integrity, confidentiality, and privacy of applicable data and systems.
  • SOC 2 Type II: The SOC 2 audit assesses an organization's security, availability, process integrity, and confidentiality processes to provide assurance about the systems that a company uses to protect customers' data. If you require the SOC 2 Type II attestation to review, contact your Splunk sales representative.
  • Health Insurance Portability and Accountability Act (HIPAA): HIPAA is a U.S. federal law that sets forth national standards governing the processing of protected health information (PHI). HIPAA is intended to improve the effectiveness and efficiency of healthcare systems by establishing standards for the use of electronic records in healthcare; establishing standards for accessing, storing and transmitting PHI; and by protecting the privacy and security of PHI. Splunk's HIPAA compliance offering is annually audited by a third-party for compliance with HIPAA requirements, resulting in annual third party attestation reports.
  • ISO 27001: Splunk Cloud Platform achieved the International Organization for Standardization's information security standard 27001 (ISO 27001) certification in December 2015 and continues to update it annually. ISO 27001 is a specification that outlines security requirements for an information security management system (ISMS). Authorized users can access related documentation in the Customer Trust Portal.
  • CSA star level 1: The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. Splunk Cloud Platform has obtained CSA STAR Level 1; a self-assessment intended for Cloud Service Providers that operate in a low-risk environment and want to offer greater visibility into the security controls they have in place.

Request Ingest Processor on your Splunk Cloud Platform stack

To obtain a Splunk Cloud Platform stack that is provisioned with Ingest Processor, Create a support case on the Splunk Support portal, and perform the following steps to complete the cloud change management (CCM) form.

On the Create a case page on the Splunk Support portal, fill out the following fields.

  1. In the Select Case Type field, select Support.
  2. In the Select Product field, select Splunk Cloud.
  3. In the I need help with... field, select Cloud Change Request.
  4. In the Select Cloud Stack field, select your Splunk Cloud Platform stack.
  5. In the Conf File Name field, select Standard Configuration.
  6. In the Maintenance Window field, provide several maintenance window options, and include your time zone.
  7. In the Description field, enter request to provision Ingest Processor GA Essentials.
  8. In the Splunk Support access to your company data field, select either Allow or Do not Allow.
  9. Click Submit.

Cloud change management (CCM) form images from the Splunk Support portal.

This image displays the Support portal signup options for the Ingest Processor solution.
This image displays the Support portal signup options for the Ingest Processor solution.

Learn more

To learn more about how the Ingest Processor solution works and become more familiar with key terms and concepts, see How the Ingest Processor solution works. For information about the types of data processing operations that are supported, see Ingest Processor pipeline syntax.

Reference

See the following documentation for more information about the Ingest Processor solution and other Splunk software that works in conjunction with the Ingest Processor solution.

For this information Refer to this documentation
Regional availability of the Ingest Processor solution Cloud region:
  • us-east-1
  • us-west-2
  • ap-northeast-1
  • ap-southeast-1
  • ap-southeast-2
  • ca-central-1
  • eu-central-1
  • eu-south-1
    • Only available on Splunk Cloud Platform version 9.2.2406 or higher.
  • eu-west-1
  • eu-west-2
  • eu-west-3
    • Only available on Splunk Cloud Platform version 9.2.2403 or higher.
Complete information about the supported SPL2 commands and functions.
How to configure Splunk forwarders The Forwarding Data manual
Last modified on 07 November, 2024
  How the Ingest Processor solution works

This documentation applies to the following versions of Splunk Cloud Platform: 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters