The Edge Processor solution
The Edge Processor solution is being gradually rolled out to Splunk Cloud Platform and may not be available immediately. If you have an urgent need for this capability and do not see it yet in your Splunk Cloud Platform environment, then please contact your Splunk Cloud Platform sales representative.
This page contains information about new features, known issues, and resolved issues for the Edge Processor solution, grouped by the generally available release date.
The Edge Processor solution is a service within Splunk Cloud Platform designed to help you manage data ingestion within your network boundaries. Use the Edge Processor solution to filter, mask, and transform your data close to its source before routing the processed data to external environments. For more information, see About the Edge Processor solution.
The Edge Processor solution is available on Splunk Cloud Platform version 9.0.2209 or higher. Updates are released frequently, and become available across all the supported Splunk Cloud Platform versions at the same time.
The release date indicates when updates to the Edge Processor solution were made available to Splunk Cloud Platform customers. For more information, contact your Splunk account representative.
Use these links to navigate to a specific section:
New features, enhancements, and fixed issues
Splunk releases frequent updates to the Edge Processor solution. This list is periodically updated with the latest functionality and changes to the product.
September 26, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Edge Processor acknowledgement for HTTP Event Collector (HEC) data | You can now use Edge Processor acknowledgement to verify whether the Edge Processor received data that was sent through HEC.
|
Edge Processor support for Amazon Data Firehose | You can now send Amazon Web Services events through Amazon Data Firehose to Edge Processor.
|
September 25, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Edge Processor queue resiliency | The Edge Processor queue can now back pressure batches of data to upstream clients until it is ready to be sent to the destination.
See What happens to my data if a destination becomes unavailable? for more information. |
September 16, 2024
The change described in this release note was reverted on September 19, 2024.
The following issue has been fixed in the Edge Processor solution.
Fixed issue | Description |
---|---|
In some cases, the Time zone assignment option for syslog data did not work as expected. | Previously, when you sent syslog data from an Edge Processor to a Splunk platform S2S destination, in some cases the specified time zone in the Time zone assignment option would not be used and instead default to UTC.
|
August 31, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Updated Warning status for Edge Processor instances | Previously, the Warning status indicated that an Edge Processor instance was nearing its memory or CPU usage limit. The definition of this status has been expanded to also include cases where the Edge Processor service is receiving incomplete status information from instances.
|
August 22, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Improvements to error handling and Edge Processor restart behavior | There is an action required for existing users due to this new feature. The Edge Processor service has undergone an internal system upgrade to improve error handling and reduce the frequency of Edge Processor restarts.
Due to the upgrade, please check that your role search, user search, and disk space limit values on the service account role for the scpbridge connection are set to the recommended limits. Otherwise, your Edge Processors might falsely report as disconnected.
See Create a role for the service account for the latest recommended limit values. |
August 7, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Improved user interface for configuring index routing | The user interface for configuring index routing has been updated to present the configuration options more clearly.
|
July 30, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Time zone assignment for syslog data | You can now choose the time zone that your Edge Processor assigns to incoming syslog data if that data uses the RFC 3164 protocol and doesn't already specify a time zone.
|
July 19, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Updates to custom function support in SPL2 | When defining a custom SPL2 function in a pipeline, you must now declare mandatory parameters before optional parameters.
|
May 28, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Support for Amazon Linux 2 | You can now install and run Edge Processors on Amazon Linux 2 machines.
|
May 14, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Support for the thru and branch SPL2 commands
|
You can now use the thru and branch commands to process and route copies of the incoming data in different ways.
|
April 24, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Additional SPL2 functions | You can now use the following evaluation functions in pipelines for Edge Processors:
See the "Mathematical functions" and "Trig and hyperbolic functions" rows in the SPL2 evaluation functions for Edge Processor pipelines table for more information. |
April 18, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Renamed Global settings to Shared settings and updated the side navigation | The Global settings page is now called Shared settings. The updated side navigation has the Shared settings and Source types items under the Edge Processors item.
|
April 4, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Support for the json_valid , mvappend , mvdedup , and tojson SPL2 functions
|
You can now use the following evaluation functions in pipelines for Edge Processors:
See SPL2 evaluation functions for Edge Processor pipelines for more information. |
April 2, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
HTTP Event Collector (HEC) token authentication | You can now configure Edge Processors to require data sources that are sending data through HEC to be authenticated using HEC tokens.
|
March 26, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Updated workflow for configuring hashing functions | You can now use the Compute hash of action in the pipeline builder to add and configure hashing functions in your pipelines.
|
March 12, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Updated workflow for configuring lookups | You can now use the Enrich events with lookup action in the pipeline builder to add and configure lookups in your pipelines.
|
February 27, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Updated configuration settings for TLS and mTLS | The configuration settings for securing communications between Edge Processors, data sources, and data destinations using TLS and mutually authenticated TLS (mTLS) have been updated to indicate more clearly when TLS or mTLS is supported.
|
Renamed configuration option for Splunk platform HEC destinations | The name and description of the Indexer or load balancer field has been updated to indicate the expected value more clearly. This field is now called HEC URI.
|
February 12, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Updated UI component for selecting data destinations in the pipeline builder | The Append data to destination action in the pipeline builder is now called Send data to destination.
|
January 31, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Support for the mvcount , mvrange , and mv_to_json_array SPL2 functions
|
You can now use the following evaluation functions in pipelines for Edge Processors:
See SPL2 evaluation functions for Edge Processor pipelines for more information. |
January 24, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Updated workflow for adding data processing actions to pipelines | You can now use the plus icon () in the Actions section of the pipeline builder to access a list of data processing actions for your pipeline.
|
January 23, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Pipeline previews for multiple destinations | When editing a pipeline that routes data to multiple destinations, you can now select a specific destination to preview the data that will make it to that particular destination.
|
January 22, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Updates to how where commands in pipelines are interpreted
|
Previously, if a pipeline had one or more where commands as the first processing commands in the SPL2 statement, Edge Processors interpreted those commands as partition conditions. As a result, data that did not match those where clauses was sent to the Edge Processor's default destination instead of being dropped.
|
January 8, 2024
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Support for the route SPL2 command
|
You can now use the route command to send a desired subset of incoming data to a different destination.
|
December 7, 2023
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Support for the lookup SPL2 command
|
You can now use the lookup command to enrich incoming event data with additional information from CSV or KV Store lookup tables.
|
Raw data ingestion using HTTP Event Collector (HEC) | Edge Processors can now receive raw, unformatted data using the services/collector/raw HEC endpoint. You can use Edge Processors to break the raw data into distinct events before routing the data to desired destinations.
|
November 17, 2023
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Updated workflow for configuring system connections | The connection between the tenant and the paired Splunk Cloud Platform deployment is now configured through the new System connections page instead of the Manage connections dialog box.
|
Additional pipeline partitioning options | The pipeline builder now provides more options for creating partitions.
|
November 8, 2023
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Updated workflows for sending data to specific Splunk indexes | You can now use the Target index action in the pipeline builder to configure your pipeline to send data to a specific Splunk index. Indexes in the tenant-paired Splunk Cloud Platform deployment are no longer displayed directly in the Destinations page, but you can view them by selecting the tenant-paired indexer destination and then selecting View indexes.
|
October 30, 2023
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Additional SPL2 functions | You can now use certain cryptographic functions, trigonometric and hyperbolic functions, and statistical eval functions in pipelines for Edge Processors.
|
October 27, 2023
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Updated diagnostic tool | The edge_diagnostic tool has been updated to fix an issue where the tool omits compressed log files. The checksum value associated with the diagnostic tool has been changed as a result of this update.
|
September 18, 2023
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Syslog data transmission | You can now configure Edge Processor to receive syslog data.
|
August 22, 2023
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Support for the split SPL2 function
|
You can now use the split evaluation function in pipelines for Edge Processors.
|
August 9, 2023
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Additional SPL2 functions | You can now use the following evaluation functions in pipelines for Edge Processors:
See SPL2 evaluation functions for Edge Processor pipelines for more information. |
August 4, 2023
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Availability on HIPAA, IRAP, and PCI DSS compliant cloud environments | Splunk Cloud Platform has attained a number of compliance attestations and certifications from industry-leading auditors as part of Splunk's commitment to adhere to industry standards worldwide and Splunk's efforts to safeguard customer data. Generally Available products and features that are currently in scope of Splunk's compliance program may not be a part of the third-party audit report until the next assessment cycle. The Edge Processor solution is in scope of the following compliance programs and will be audited at the next assessment cycle.
For additional information about compliance and certifications, see Compliance at Splunk. |
July 27, 2023
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
New pipeline builder | You can now utilize a streamlined process when creating pipelines for Edge Processors.
|
June 1, 2023
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Data transmission using HTTP Event Collector (HEC) | You can now configure Edge Processors to receive and send data using the services/collector HEC endpoint.
|
May 19, 2023
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Pipeline previews using parsed sample data | You can now generate pipeline previews using parsed data that has values stored in event fields. Parsed data must be in CSV format.
|
April 27, 2023
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Default Destination as part of Edge Processor configuration | You can now assign a default destination to each Edge Processor to route unprocessed data.
|
March 25, 2023
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Time extraction and normalization | The pipeline editor now provides time extraction and time format conversion. You can extract timestamp-related fields using delivered templates or write our own regular expressions to meet your use case.
|
March 16, 2023
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Search results as sample data | You can now use the Copy field values option to copy data values from search results. This capability lets you use data from the connected Splunk Cloud Platform deployment as sample data for previewing pipelines and source type configurations.
|
March 15, 2023
The Edge Processor solution now includes the following new features or enhancements.
New feature or enhancement | Description |
---|---|
Field extraction support | The pipeline editor now provides a dedicated user interface for configuring field extractions. You can preview the extracted field names and values as you configure your extractions, and select prewritten regular expressions for extracting common fields.
|
February 13, 2023
This is the first generally available release of the Edge Processor solution.
The following functionalities are available for administrators:
- Set up the Edge Processor solution. See First-time setup instructions for the Edge Processor solution and Quick start: Process and route data using Edge Processors.
- Set up an Edge Processor. See Set up an Edge Processor.
- Process and route data using pipelines. See Create pipelines for Edge Processors.
- Configure custom event breaking and merging behavior using source types. See Add source types for Edge Processors.
- Send data from forwarders to an Edge Processor. See Get data from a forwarder into an Edge Processor.
- View and configure destinations to route data to, including Splunk platform deployments and Amazon S3 buckets. See Add or manage destinations.
- View the health status and data flow metrics of an Edge Processor. See View data flow information about an Edge Processor.
Known issues
The Edge Processor solution is subject to the Tested and recommended service limits (Soft limits) in the Splunk Cloud Platform Service Details, as well as the following known issues.
Browsers
Multiple browser sessions are not supported since it is possible for users to try to edit the same pipeline in more than one browser session and make conflicting edits.
Edge Processors
The following limitations exist for Edge Processors:
Edge Processors provide no data delivery guarantees. Data loss can occur if an Edge Processor experiences high back pressure on connections to destinations, or when a data destination has a prolonged outage.
- If you uninstall or remove an Edge Processor instance using any method other than the uninstallation command provided in the Edge Processor service, the Manage instances panel shows the instance as being in the Disconnected status. You cannot exclude the instance from the list that is displayed in the Manage instances panel. For information about how to resolve this issue, see An Edge Processor instance that was previously "Healthy" is now "Disconnected".
- Only tenant administrators can create and view Edge Processors.
Forwarders
The following limitations exist for forwarders:
- The
useACK
property in outputs.conf must be disabled in forwarders that are sending data to Edge Processors. - Configurations defined in the props.conf file are not fully supported. Depending on the specific data transformations involved, the configurations of the props.conf files in forwarders and destination indexers can override or conflict with Edge Processor pipeline logic in unexpected ways. To minimize errors and troubleshooting, do one of the following:
- Use a pipeline that filters for the props.conf-transformed data and routes it to a destination without doing any additional processing.
- Specify a default destination for your tenant, and then make sure that the props.conf-transformed data is not handled by any pipelines that are applied to your Edge Processor. This configuration enables the Edge Processor to send the props.conf-transformed data to the default destination without doing any additional processing.
- If you are using a heavy forwarder, revert your props.conf settings to their defaults and use a pipeline to execute the necessary data transformations instead.
- You must use source types to configure the line breaking of events from forwarders. Line breaking definitions are specified in the source type configurations in the Edge Processor service. To apply line breaking to an event, you must ensure that the
sourcetype
value of the event matches the name of the relevant source type configuration.
HTTP Event Collector (HEC)
When you use an Edge Processor to receive or send data through HEC, the Enable indexer acknowledgement setting on the HEC token must be turned off.
Lookups
CIDR matching is not supported. When configuring your lookup definition, make sure that the Match type advanced option is not set to CIDR.
Metrics
Historical metrics presented in the detailed view of an Edge Processor do not include metrics for deleted pipelines.
Pipelines
The following limitations exist for pipelines:
- Only tenant administrators can create, edit, delete, apply, or remove pipelines.
- Some SPL2 functions work differently in Edge Processor pipelines than they do in searches. For example, regular expressions in functions are interpreted differently because Edge Processor pipelines support Regular Expression 2 (RE2) syntax while Splunk searches support Perl Compatible Regular Expressions (PCRE) syntax. See Edge Processor pipeline syntax for more information.
Splunk Cloud Experience tenants
When you go through the first-time setup process for the Edge Processor solution, you create a connection between your Splunk Cloud Experience tenant and your Splunk Cloud Platform deployment. This connection enables the tenant to surface specific indexes from that deployment as pipeline destinations.
The following limitations exist for this initial connection between your Splunk Cloud Experience tenant and your Splunk Cloud Platform deployment:
- You cannot connect your tenant to more than one Splunk Cloud Platform deployment using this method. To send data from a pipeline to an index that belongs to a different Splunk Cloud Platform deployment, you must configure a destination that corresponds to the indexer tier of that deployment and then include an
eval
expression that specifies the target index in your pipeline. For more information, see Sending data from Edge Processors to Splunk Cloud Platform or Splunk Enterprise. - If you create additional indexes in your Splunk Cloud Platform deployment after completing the first-time setup process, you must refresh the connection in order to make those indexes available in the tenant. For detailed instructions, see Make more indexes available to the tenant.
Admin Configuration Service | The Ingest Processor solution |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!