Splunk Cloud Platform

Use Ingest Processors

Send data from Ingest Processor to the Splunk Cloud Platform deployment connected to your tenant

Send data from Ingest Processor to the Splunk Cloud Platform deployment connected to your tenant by creating a connection between your cloud tenant and your Splunk Cloud Platform deployment. You can use this connection to send data from Ingest Processor to the connected Splunk Cloud Platform deployment. To do this, you must create a pipeline that uses a destination that is associated with this connection, and then apply the pipeline. If you want to send data to an index that was created after the Splunk Cloud Platform deployment was connected to the tenant, then you might need to refresh the connection before that index becomes available as a destination.

The specific index that the data from Ingest Processor gets routed to is determined by a precedence order of configurations. For more information, see How does Ingest Processor know which index to send data to?

Prerequisites

Make sure that your Splunk Cloud Platform deployment is connected to your cloud tenant, and that the indexers and indexes from that deployment are available to your tenant.

To verify if this connection has been configured correctly, navigate to the Destinations page and select the Splunk tab. Then, confirm that the indexers from your Splunk Cloud Platform deployment are available as Splunk platform destinations.

If you do not see any Splunk platform destinations, make sure that you have completed the setup process described in First-time setup instructions for the Ingest Processor solution.

Create a pipeline that sends data to the connected Splunk Cloud Platform deployment

  1. Navigate to the Pipelines page, then select New pipeline and then Ingest Processor pipeline.
  2. Select Blank pipeline, then select Next.
  3. On the Define your pipeline's partition page, do the following:
    1. Select how you want to partition your incoming data that you want to send to your pipeline. You can partition by source type, source, and host.
    2. Enter the conditions for your partition, including the operator and the value. Your pipeline will receive and process the incoming data that meets these conditions.
    3. Select Next to confirm the pipeline partition.
  4. (Optional) On the Add sample data page, enter or upload sample data for generating previews that show how your pipeline processes data.

    The sample data must be in the same format as the actual data that you want to process. See Getting sample data for previewing data transformations for more information.

  5. Select Next to confirm any sample data that you want to use for your pipeline.
  6. On the Select a metrics destination page, select the name of the destination that you want to send metrics to.
  7. On the Select a data destination page, select the name of the destination that you want to send logs to.
  8. (Optional) Configure index routing:
    1. Select one of the following options in the expanded destinations panel:
      Option Description
      Default The pipeline does not route events to a specific index.


      If the event metadata already specifies an index, then the event is sent to that index. Otherwise, the event is sent to the default index of the Splunk Cloud Platform deployment.

      Specify index for events with no index The pipeline only routes events to your specified index if the event metadata did not already specify an index.
      Specify index for all events The pipeline routes all events to your specified index.
    2. If you selected Specify index for events with no index or Specify index for all events, then from the Index name drop-down list, select the name of the index that you want to send your data to.
      If your desired index is not available in the drop-down list, then confirm that the index is configured to be available to the tenant and then refresh the connection between the tenant and the Splunk Cloud Platform deployment. For detailed instructions, see Make more indexes available to the tenant.

    9. If you're sending data to a Splunk Cloud Platform deployment, be aware that the destination index is determined by a precedence order of configurations. See How does Ingest Processor know which index to send data to? for more information

  9. Select Done to confirm the data destination.
    After you complete the on-screen instructions, the pipeline builder displays the SPL2 statement for your pipeline.
  10. On the SPL2 editor page, add any desired actions to your SPL2 statement. You can add processing commands to your pipeline by selecting the plus icon (This image shows an icon of a plus sign.) next to Actions and selecting a data processing action, or by typing SPL2 commands and functions directly in the editor. For instructions on creating pipelines for specific use cases, see the following:

When you are done modifying the pipeline, save and apply the pipeline.

Make more indexes available to the tenant

If any indexes that you want to send data to are not listed in the Index name drop-down list when you're configuring your pipeline, then complete the following steps to make those indexes available.

  1. In your Splunk Cloud Platform deployment, update the role of the service account so that the account can access your indexes:
    1. Log in using your admin credentials.
    2. In the Settings menu, in the Users and authentication section, select Roles.
    3. In the row that lists the role used by your service account, select Edit > Edit.

      The role and service account were created when you configured your Splunk Cloud Platform deployment to receive data.

    4. On the 3. Indexes tab, select the Included check box for all the indexes that you want to make available.
    5. Select Save.
  2. In your cloud tenant, refresh the connection to your Splunk Cloud Platform deployment:
    1. Select the Settings icon (Image of the Settings icon) and then select Manage connection.
    2. Select the Refresh icon (This image shows an icon that looks like two curved arrows going in a circle.).
    3. Select Done.

The indexes that you added become available on the Destinations page, and you can now send processed data from Ingest Processor to these indexes.

Last modified on 12 August, 2024
Sending data from Ingest Processor to Splunk Cloud Platform   Send data from Ingest Processor to your Splunk Observability Cloud deployment

This documentation applies to the following versions of Splunk Cloud Platform: 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters