Getting started with Splunk Edge Processor

Benefits and value of Splunk Edge Processor

• Reduce noise
• Reduce costs associated with data ingest
• Enrich data with more context
• Mask sensitive data (for example PII)
• Reduce log volume and size
• Gain increased visibility into streaming data 
• Reduce search time
• Transform data more efficiently and flexibly 
• Control centrally through cloud control plane
• Leverage SPL2 for advanced data processing
• Simplify data routing through a guided pipeline builder
• Compute at a much faster rate, with fewer compute resources required compared to ingest actions or heavyweight forwarders

How Splunk Edge Processor works

Splunk Edge Processor combines Splunk-managed cloud services, on-premises data processing software, and SPL2 to support data processing at the edge of your network. It allows you to ingest data into Splunk, S3 or other systems. This service offering is delivered through the cloud control plane, with an Edge Processor node installed in the customer infrastructure for data processing (i.e. data plane). Learn more about the Edge Processor system architecture.

Using simple-to-deploy nodes, Splunk Edge Processor allows you to filter, route and process data generated by Splunk Forwarders and other sources before it is ingested into Splunk Enterprise or Splunk Cloud Platform. You define where you want to deploy the Edge Processor nodes, as well as the Edge Processor node name, description, and tags.

When Splunk Edge Processor nodes are deployed, you control the destination to where your Edge Processors and pipelines send data. You can also configure a “default destination” per Edge Processor node to route unprocessed data. If you don't specify a default destination, Edge Processors will drop unprocessed data by default.

As a user, you can easily configure SPL2 based pipelines to filter, mask, transform, and route data to destinations using the pipeline builder. It supports most SPL2-based commands for pre-ingest data processing (for example, regex, eval, etc). Learn more about SPL2 profiles and view a command compatibility matrix by product for SPL2 commands and eval functions.

• Supported sources: S2S, HEC, RawHEC, and syslog
• Supported destinations: S2S, HEC, and AWS S3

The statuses of the capabilities and limitations of Edge Processor (as of Splunk Cloud Platform version 9.1.2308) are:

• Supported actions: Filtering, transforming, masking, routing (stateless, lightweight operations), lookups, cryptographic functions, and stats functions
• In the roadmap: Dynamic sampling, dedup, and summarizing
• Not supported: Data decryption

How to get started

Log in to Splunk Cloud Platform and navigate to Splunk Data Management console to start using Splunk Edge Processor today. You only need to copy and paste a command line into your Linux machine to install your first Splunk Edge Processor node. 

You can access Splunk Edge Processor in the following ways:

• If using Splunk Web UI, from the homepage, click Settings > Add data > Edge Processor.
• You can also directly navigate to the Edge Processor using the following link: https://px.scs.splunk.com/<your Splunk cloud tenant name>/data-management/

Next steps

Review the additional resources below, then click the Next step button below to learn to configure and deploy your first Splunk Edge Processor with step-by-step guidance.

• Join the #edge-processor Slack channel for direct support (request access: http://splk.it/slack)
• Website: Edge Processor resource hub
• Blog: Introducing Edge Processor: Next gen data transformation
• Tech Talk: Introducing Edge Processor
• .conf23: Getting data in more efficiently using the Splunk Edge Processor (session slides)
• Blog: Data preparation made easy: SPL2 for Edge Processor
• Blog: Addition of syslog in Splunk Edge Processor supercharges security operations with Palo Alto firewall log reduction
• Stay up-to-date with Edge Processor release notes