Stream Processor Service

Stream Processor Service Templates and Examples

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Getting started with the templates

Templates are predefined pipelines that allow you to get started quickly with the . The comes with several Splunk-built templates, called Default Templates, that you can leverage right away. We strongly recommend you to use a template to create a pipeline when possible, as templates significantly reduce the development time for building pipelines, thereby allowing you to be productive with the Stream Processor Service immediately.

The following table describes the two types of Default Templates that are available.

Template type Description
Example template Use the Example templates as a reference to learn how the can manipulate and transform your data. Example templates include sample data, so you can start a preview session and click through each function in the template to see how the data is being transformed every step of the way.


We recommend starting here if you'd like to see an in-product demo with sample data on common use cases. Later, when you want to create and activate a pipeline for a production use case, we recommend that you use a Quick Start template.

Quick Start template Use the Quick Start templates to use the to perform a specific use case in production with minimal configuration required.

Example templates

The following table describes the "Example" templates that are available in the .

Template name Description
Example: Aggregating Windows Event Logs by Host and EventCode Use this template as an example on how to summarize security logs by the host and EventCode fields. This template counts, for each value of host and EventCode, the number of times that host and EventCode appeared in a given period of time.


See Example: Aggregating Windows Event Logs by Host and EventCode

Example: Convert Logs to Metrics Use this template as an example on how to turn log data into metric data points. This template converts metric-based JSON into the metric schema format compatible with the Splunk HTTP Event Collector.


See Example: Convert Logs to Metrics

Example: Format Windows Security Logs into JSON Format Use this template as an example on how to format Windows security logs into JSON format.


See Example: Format Windows Security Logs into JSON Format

Example: Mask Sensitive Data Use this template as an example on how to mask sensitive information from your data before sending it to a destination.


See Example: Mask Sensitive Data

Example: Processing AWS CloudTrail and VPC Flow Logs Use this template as an example of how to process Amazon Web Services CloudTrail and Virtual Private Cloud logs.


See Example: Processing AWS CloudTrail and VPC Flow Logs

Example: Route Data to Multiple Destinations Use this template as an example on how to route data to multiple different destinations.


See Example: Route Data to Multiple Destinations

Quick Start templates

The following table describes the "Quick Start" templates that are available in the Stream Processor Service.

Template name Description
Quick Start: Filter and Summarize CISCO ASA Inbound and Outbound Traffic This template collects processed Cisco ASA data, sets a source type, and properly timestamps the Cisco ASA data before sending it to a Splunk index. In addition, this template also filters and summarizes Cisco ASA inbound and outbound traffic. Summarized traffic statistics are sent as metrics to a Splunk metrics index.


See Quick Start: Filter and Summarize Cisco ASA Inbound and Outbound Traffic

Quick Start: Filter and Summarize NGINX Access Logs This template collects NGINX access logs, removes all 200 event codes to reduce noise, and forwards all other NGINX events to a Splunk index. In addition, this template summarizes average bytes sent by NGINX grouped by src_ip, request_method, response_code, and access_request (uri). These summarized statistics are sent as metrics to a Splunk metrics index with the grouped fields as dimensions.


See Quick Start: Filter and summarize NGINX access logs

Quick Start: Format Linux Performance Monitoring Data for Splunk Infrastructure Monitoring This template converts Linux Performance Monitoring (perfmon) events into Splunk Infrastructure Monitoring metrics and then sends that data to a Splunk index.


See Quick Start: Format Linux Performance Monitoring Data for Splunk Infrastructure Monitoring

Quick Start: Format Windows Performance Monitor Data for Splunk Infrastructure Monitoring This template formats Windows Performance Monitor Data into a format compatible with Splunk Infrastructure Monitoring. In addition, this template includes an optional function which normalizes field names into the names that Splunk Infrastructure Monitoring expects for its' built-in dashboards.


See Quick Start: Format Windows Performance Monitor Data for Splunk Infrastructure Monitoring

Quick Start: Mask Credit Card Numbers This template detects and masks credit card numbers in your data. Credit card numbers from Visa, Mastercard, American Express, Diners Club, Discover, and JCB are supported. This template anonymizes the information by redacting all but the last four digits of each credit card number before sending the data to a Splunk index. Any data that doesn't contain credit card numbers is sent unchanged to the same Splunk index.


See Quick Start: Mask Credit Card Numbers

Quick Start: Mask Social Security Numbers This template detects and masks social security numbers (SSNs) in your data. This template anonymizes the information by redacting the first five digits of each SSN before sending the data to a Splunk index.


See Quick Start: Mask Social Security Numbers

Quick Start: Reduce Licensing Usage for Windows Security Logs This template collects Windows Event Logs from a forwarder, removes the verbosity that is often included in Windows Security Logs, and then routes that data to a specified Splunk index. By removing the verbose text that is often found in Windows Security Logs, you can reduce Splunk licensing costs and make your searches more performant.


See Quick Start: Reduce Licensing Usage for Windows Security Logs

Last modified on 24 August, 2021
  NEXT
Navigating the Canvas View

This documentation applies to the following versions of Stream Processor Service: standard


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters