Change an existing data source to use Kafka ingestion

You can change an existing data source to use Kafka ingestion. For example, if you have a large existing data source that is not using Kafka ingestion and is negatively affecting performance, you can change the data source to use Kafka ingestion to try to improve performance.

Perform the following steps to change an existing data source to use Kafka ingestion:

1. In Splunk UBA, select Manage > Data Sources.
2. Select the data source you want to stop, and then click Stop.
3. Click Edit to edit the data source configuration.
4. In the Edit Data Source window, select the Kafka Ingestion checkbox in the Connector Type field.
5. Navigate through the remainder of the screens, and then click OK at the end to finish modifying the data source.
6. On the data source details page, click Start to restart the data source.

When configuring a custom Splunk data source for Kafka ingestion, make sure that the custom SPL used in the data source query only uses commands that can run on Splunk indexers. If a custom data source query includes a command that cannot be run on Splunk indexers, Kafka ingestion will not be properly distributed out and will only run on the search head. To learn which commands can run, see Processing attributes in the Search Manual.