Splunk Cloud Platform

Release Notes

The Edge Processor solution

The Edge Processor solution is being gradually rolled out to Splunk Cloud Platform and may not be available immediately. If you have an urgent need for this capability and do not see it yet in your Splunk Cloud Platform environment, then please contact your Splunk Cloud Platform sales representative.

This page contains information about new features, known issues, and resolved issues for the Edge Processor solution, grouped by the generally available release date.

The Edge Processor solution is a service within Splunk Cloud Platform designed to help you manage data ingestion within your network boundaries. Use the Edge Processor solution to filter, mask, and transform your data close to its source before routing the processed data to external environments. For more information, see About the Edge Processor solution.

The Edge Processor solution is available on Splunk Cloud Platform version 9.0.2209 or higher. Updates are released frequently, and become available across all the supported Splunk Cloud Platform versions at the same time.

The release date indicates when updates to the Edge Processor solution were made available to Splunk Cloud Platform customers. For more information, contact your Splunk account representative.

Use these links to navigate to a specific section:

New features, enhancements, and fixed issues

Splunk releases frequent updates to the Edge Processor solution. This list is periodically updated with the latest functionality and changes to the product.

September 26, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Edge Processor acknowledgement for HTTP Event Collector (HEC) data You can now use Edge Processor acknowledgement to verify whether the Edge Processor received data that was sent through HEC.



See Edge Processor acknowledgement for more information.

Edge Processor support for Amazon Data Firehose You can now send Amazon Web Services events through Amazon Data Firehose to Edge Processor.


See Get data into an Edge Processor using HTTP Event Collector for more information.

September 25, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Edge Processor queue resiliency The Edge Processor queue can now back pressure batches of data to upstream clients until it is ready to be sent to the destination.


In the past, there has been a known issue where an Edge Processor instance can only use 5 vCPUs of processing power from its host machine. The Edge Processor queue resiliency feature fixes this issue.

See What happens to my data if a destination becomes unavailable? for more information.

September 16, 2024

The change described in this release note was reverted on September 19, 2024.

The following issue has been fixed in the Edge Processor solution.

Fixed issue Description
In some cases, the Time zone assignment option for syslog data did not work as expected. Previously, when you sent syslog data from an Edge Processor to a Splunk platform S2S destination, in some cases the specified time zone in the Time zone assignment option would not be used and instead default to UTC.


Now, the specified time zone is respected regardless of the data destination that the syslog data is sent to.

See Configure the time zone of your syslog data in the Edge Processor for more information.

August 31, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updated Warning status for Edge Processor instances Previously, the Warning status indicated that an Edge Processor instance was nearing its memory or CPU usage limit. The definition of this status has been expanded to also include cases where the Edge Processor service is receiving incomplete status information from instances.


For more information, see Instance statuses and what they mean and An Edge Processor instance is in the "Warning" status.

August 22, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Improvements to error handling and Edge Processor restart behavior

There is an action required for existing users due to this new feature.

The Edge Processor service has undergone an internal system upgrade to improve error handling and reduce the frequency of Edge Processor restarts.

Due to the upgrade, please check that your role search, user search, and disk space limit values on the service account role for the scpbridge connection are set to the recommended limits. Otherwise, your Edge Processors might falsely report as disconnected.

See Create a role for the service account for the latest recommended limit values.

August 7, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Improved user interface for configuring index routing The user interface for configuring index routing has been updated to present the configuration options more clearly.


For information about how to configure index routing, see Create pipelines for Edge Processors.

For information about how the destination index for your data is determined by a precedence order of configurations, see How does an Edge Processor know which index to send data to?

July 30, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Time zone assignment for syslog data You can now choose the time zone that your Edge Processor assigns to incoming syslog data if that data uses the RFC 3164 protocol and doesn't already specify a time zone.


See Configure the time zone of your syslog data in the Edge Processor for more information.

July 19, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updates to custom function support in SPL2 When defining a custom SPL2 function in a pipeline, you must now declare mandatory parameters before optional parameters.


See Custom functions and data types in the SPL2 Search Reference for more information.

May 28, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Support for Amazon Linux 2 You can now install and run Edge Processors on Amazon Linux 2 machines.


See Installation requirements for Edge Processors for more information.

May 14, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Support for the thru and branch SPL2 commands You can now use the thru and branch commands to process and route copies of the incoming data in different ways.


See Routing data in the same Edge Processor pipeline to different actions and destinations for more information.

April 24, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Additional SPL2 functions You can now use the following evaluation functions in pipelines for Edge Processors:

See the "Mathematical functions" and "Trig and hyperbolic functions" rows in the SPL2 evaluation functions for Edge Processor pipelines table for more information.

April 18, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Renamed Global settings to Shared settings and updated the side navigation The Global settings page is now called Shared settings. The updated side navigation has the Shared settings and Source types items under the Edge Processors item.


See Configure shared Edge Processor settings for more information.

April 4, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Support for the json_valid, mvappend, mvdedup, and tojson SPL2 functions You can now use the following evaluation functions in pipelines for Edge Processors:

See SPL2 evaluation functions for Edge Processor pipelines for more information.

April 2, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
HTTP Event Collector (HEC) token authentication You can now configure Edge Processors to require data sources that are sending data through HEC to be authenticated using HEC tokens.


See Get data into an Edge Processor using HTTP Event Collector for more information.

March 26, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updated workflow for configuring hashing functions You can now use the Compute hash of action in the pipeline builder to add and configure hashing functions in your pipelines.


See Hash fields using an Edge Processor for more information.

March 12, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updated workflow for configuring lookups You can now use the Enrich events with lookup action in the pipeline builder to add and configure lookups in your pipelines.


See Enrich data with lookups using an Edge Processor for more information.

February 27, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updated configuration settings for TLS and mTLS The configuration settings for securing communications between Edge Processors, data sources, and data destinations using TLS and mutually authenticated TLS (mTLS) have been updated to indicate more clearly when TLS or mTLS is supported.


For information about configuring mTLS between data sources and Edge Processors, see the pages in the Get data into Edge Processors chapter.

For information about configuring TLS or mTLS between Edge Processors and data destinations, see the following pages:

Renamed configuration option for Splunk platform HEC destinations The name and description of the Indexer or load balancer field has been updated to indicate the expected value more clearly. This field is now called HEC URI.


See the following pages for more information:

February 12, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updated UI component for selecting data destinations in the pipeline builder The Append data to destination action in the pipeline builder is now called Send data to destination.


See Process a subset of data using an Edge Processor for more information.

January 31, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Support for the mvcount, mvrange, and mv_to_json_array SPL2 functions You can now use the following evaluation functions in pipelines for Edge Processors:

See SPL2 evaluation functions for Edge Processor pipelines for more information.

January 24, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updated workflow for adding data processing actions to pipelines You can now use the plus icon (This image shows an icon of a plus sign.) in the Actions section of the pipeline builder to access a list of data processing actions for your pipeline.


See Create pipelines for Edge Processors for more information.

January 23, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Pipeline previews for multiple destinations When editing a pipeline that routes data to multiple destinations, you can now select a specific destination to preview the data that will make it to that particular destination.


See Process a subset of data using an Edge Processor for more information.

January 22, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updates to how where commands in pipelines are interpreted Previously, if a pipeline had one or more where commands as the first processing commands in the SPL2 statement, Edge Processors interpreted those commands as partition conditions. As a result, data that did not match those where clauses was sent to the Edge Processor's default destination instead of being dropped.


Now, Edge Processors consistently interpret all where commands in the pipeline as filters in the main body of the pipeline instead of partition conditions. Going forward, data that does not match the where clauses will be dropped.

This update does not immediately affect any currently applied pipelines. However, the next time you edit or apply a pipeline, that pipeline will be subject to this updated Edge Processor behavior. The Edge Processor service will automatically try to adjust the configuration of the pipeline in order to preserve the pre-existing data processing behavior. Make sure to double-check the partition and where configurations in your pipeline and save any necessary changes to the pipeline before proceeding.

See Updates to partitioning and filtering behavior in Edge Processor pipelines for more information.

January 8, 2024

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Support for the route SPL2 command You can now use the route command to send a desired subset of incoming data to a different destination.


See Process a subset of data using an Edge Processor for more information.

December 7, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Support for the lookup SPL2 command You can now use the lookup command to enrich incoming event data with additional information from CSV or KV Store lookup tables.


See Enrich data with lookups using an Edge Processor for more information.

Raw data ingestion using HTTP Event Collector (HEC) Edge Processors can now receive raw, unformatted data using the services/collector/raw HEC endpoint. You can use Edge Processors to break the raw data into distinct events before routing the data to desired destinations.


See Get data into an Edge Processor using HTTP Event Collector for more information.

November 17, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updated workflow for configuring system connections The connection between the tenant and the paired Splunk Cloud Platform deployment is now configured through the new System connections page instead of the Manage connections dialog box.


See Connect your tenant to your Splunk Cloud Platform deployment and Send data from Edge Processors to the Splunk Cloud Platform deployment connected to your tenant for more information.

Additional pipeline partitioning options The pipeline builder now provides more options for creating partitions.


See Create pipelines for Edge Processors for more information.

November 8, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updated workflows for sending data to specific Splunk indexes You can now use the Target index action in the pipeline builder to configure your pipeline to send data to a specific Splunk index. Indexes in the tenant-paired Splunk Cloud Platform deployment are no longer displayed directly in the Destinations page, but you can view them by selecting the tenant-paired indexer destination and then selecting View indexes.


See Create pipelines for Edge Processors for more information.

October 30, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Additional SPL2 functions You can now use certain cryptographic functions, trigonometric and hyperbolic functions, and statistical eval functions in pipelines for Edge Processors.


See SPL2 evaluation functions for Edge Processor pipelines for more information.

October 27, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Updated diagnostic tool The edge_diagnostic tool has been updated to fix an issue where the tool omits compressed log files. The checksum value associated with the diagnostic tool has been changed as a result of this update.


See Generate a diagnostic report for an Edge Processor instance for more information.

September 18, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Syslog data transmission You can now configure Edge Processor to receive syslog data.


See Get syslog data into an Edge Processor for more information.

August 22, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Support for the split SPL2 function You can now use the split evaluation function in pipelines for Edge Processors.


See SPL2 evaluation functions for Edge Processor pipelines for more information.

August 9, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Additional SPL2 functions You can now use the following evaluation functions in pipelines for Edge Processors:

See SPL2 evaluation functions for Edge Processor pipelines for more information.

August 4, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Availability on HIPAA, IRAP, and PCI DSS compliant cloud environments Splunk Cloud Platform has attained a number of compliance attestations and certifications from industry-leading auditors as part of Splunk's commitment to adhere to industry standards worldwide and Splunk's efforts to safeguard customer data. Generally Available products and features that are currently in scope of Splunk's compliance program may not be a part of the third-party audit report until the next assessment cycle. The Edge Processor solution is in scope of the following compliance programs and will be audited at the next assessment cycle.
  • Health Insurance Portability and Accountability Act (HIPAA): HIPAA is a U.S. federal law that sets forth national standards governing the processing of protected health information (PHI). HIPAA is intended to improve the effectiveness and efficiency of healthcare systems by establishing standards for the use of electronic records in healthcare; establishing standards for accessing, storing and transmitting PHI; and by protecting the privacy and security of PHI. Splunk's HIPAA compliance offering is annually audited by a third-party for compliance with HIPAA requirements, resulting in annual third party attestation reports.
  • Information Security Registered Assessors Program (IRAP): IRAP is an initiative of the Australian Signals Directorate (ASD) through the Australian Cyber Security Center (ACSC), designed to provide cyber security assessments on Information and Communications Technology (ICT) services to government organizations. IRAP is also a recognised standard with robust security controls for cloud services in the private sector across Australia.
  • The Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is a global information security standard created to better control cardholder data and reduce credit card fraud. PCI DSS applies to all entities that store, process, or transmit cardholder data and/or sensitive authentication data. Authorized users can access related documentation in the Customer Trust Portal.

For additional information about compliance and certifications, see Compliance at Splunk.

July 27, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
New pipeline builder You can now utilize a streamlined process when creating pipelines for Edge Processors.


See the following pages for more information:

June 1, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Data transmission using HTTP Event Collector (HEC) You can now configure Edge Processors to receive and send data using the services/collector HEC endpoint.


See the following pages for more information:

May 19, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Pipeline previews using parsed sample data You can now generate pipeline previews using parsed data that has values stored in event fields. Parsed data must be in CSV format.


See Getting sample data for previewing data transformations for more information.

April 27, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Default Destination as part of Edge Processor configuration You can now assign a default destination to each Edge Processor to route unprocessed data.


See Set up an Edge Processor for more information.

March 25, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Time extraction and normalization The pipeline editor now provides time extraction and time format conversion. You can extract timestamp-related fields using delivered templates or write our own regular expressions to meet your use case.


See Extract timestamps from event data using an Edge Processor for more information.

March 16, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Search results as sample data You can now use the Copy field values option to copy data values from search results. This capability lets you use data from the connected Splunk Cloud Platform deployment as sample data for previewing pipelines and source type configurations.


See Getting sample data for previewing data transformations for more information.

March 15, 2023

The Edge Processor solution now includes the following new features or enhancements.

New feature or enhancement Description
Field extraction support The pipeline editor now provides a dedicated user interface for configuring field extractions. You can preview the extracted field names and values as you configure your extractions, and select prewritten regular expressions for extracting common fields.


See Extract fields from event data using an Edge Processor for more information.

February 13, 2023

This is the first generally available release of the Edge Processor solution.

The following functionalities are available for administrators:

Known issues

The Edge Processor solution is subject to the Tested and recommended service limits (Soft limits) in the Splunk Cloud Platform Service Details, as well as the following known issues.

Browsers

Multiple browser sessions are not supported since it is possible for users to try to edit the same pipeline in more than one browser session and make conflicting edits.

Edge Processors

The following limitations exist for Edge Processors:

Edge Processors provide no data delivery guarantees. Data loss can occur if an Edge Processor experiences high back pressure on connections to destinations, or when a data destination has a prolonged outage.

  • If you uninstall or remove an Edge Processor instance using any method other than the uninstallation command provided in the Edge Processor service, the Manage instances panel shows the instance as being in the Disconnected status. You cannot exclude the instance from the list that is displayed in the Manage instances panel. For information about how to resolve this issue, see An Edge Processor instance that was previously "Healthy" is now "Disconnected".
  • Only tenant administrators can create and view Edge Processors.

Forwarders

The following limitations exist for forwarders:

  • The useACK property in outputs.conf must be disabled in forwarders that are sending data to Edge Processors.
  • Configurations defined in the props.conf file are not fully supported. Depending on the specific data transformations involved, the configurations of the props.conf files in forwarders and destination indexers can override or conflict with Edge Processor pipeline logic in unexpected ways. To minimize errors and troubleshooting, do one of the following:
    • Use a pipeline that filters for the props.conf-transformed data and routes it to a destination without doing any additional processing.
    • Specify a default destination for your tenant, and then make sure that the props.conf-transformed data is not handled by any pipelines that are applied to your Edge Processor. This configuration enables the Edge Processor to send the props.conf-transformed data to the default destination without doing any additional processing.
    • If you are using a heavy forwarder, revert your props.conf settings to their defaults and use a pipeline to execute the necessary data transformations instead.
  • You must use source types to configure the line breaking of events from forwarders. Line breaking definitions are specified in the source type configurations in the Edge Processor service. To apply line breaking to an event, you must ensure that the sourcetype value of the event matches the name of the relevant source type configuration.

HTTP Event Collector (HEC)

When you use an Edge Processor to receive or send data through HEC, the Enable indexer acknowledgement setting on the HEC token must be turned off.

Lookups

CIDR matching is not supported. When configuring your lookup definition, make sure that the Match type advanced option is not set to CIDR.

Metrics

Historical metrics presented in the detailed view of an Edge Processor do not include metrics for deleted pipelines.

Pipelines

The following limitations exist for pipelines:

  • Only tenant administrators can create, edit, delete, apply, or remove pipelines.
  • Some SPL2 functions work differently in Edge Processor pipelines than they do in searches. For example, regular expressions in functions are interpreted differently because Edge Processor pipelines support Regular Expression 2 (RE2) syntax while Splunk searches support Perl Compatible Regular Expressions (PCRE) syntax. See Edge Processor pipeline syntax for more information.

Splunk Cloud Experience tenants

When you go through the first-time setup process for the Edge Processor solution, you create a connection between your Splunk Cloud Experience tenant and your Splunk Cloud Platform deployment. This connection enables the tenant to surface specific indexes from that deployment as pipeline destinations.

The following limitations exist for this initial connection between your Splunk Cloud Experience tenant and your Splunk Cloud Platform deployment:

  • You cannot connect your tenant to more than one Splunk Cloud Platform deployment using this method. To send data from a pipeline to an index that belongs to a different Splunk Cloud Platform deployment, you must configure a destination that corresponds to the indexer tier of that deployment and then include an eval expression that specifies the target index in your pipeline. For more information, see Sending data from Edge Processors to Splunk Cloud Platform or Splunk Enterprise.
  • If you create additional indexes in your Splunk Cloud Platform deployment after completing the first-time setup process, you must refresh the connection in order to make those indexes available in the tenant. For detailed instructions, see Make more indexes available to the tenant.
Last modified on 27 September, 2024
Admin Configuration Service   The Ingest Processor solution

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters