Implementing use cases in Splunk Edge Processor
Splunk Edge Processor provides you with new abilities to filter and mask, and otherwise transform your data, before routing it to supported destinations.
You are currently at phase 3 in the Splunk Edge Processor getting started guide. Navigate to phase 1 for an overview of getting started with Edge Processor or to the phase 2 for step-by-step guidance on configuring and deploying Edge Processor.
What gives Splunk Edge Processor its data transformation power is Splunk’s next generation data search and preparation language, SPL2. SPL2 provides a powerful, flexible, and intuitive way for Splunk admins and data stewards to interact with data to shape, enrich, filter, transform, and route data – in a manner familiar to Splunk's SPL users, while also introducing optional SQL syntax known to users around the world.
Pipelines allow you to use SPL2 to construct filtering, masking, and routing logic for your inbound data, so you can ingest only the data you need – nothing more, nothing less.
The videos below walk you through common use cases that Splunk Edge Processor can address, and help you reduce ingest volume to optimize costs around data storage and transfer, protect sensitive information, and significantly improve your time to value.
Splunk Edge Processor is included with Splunk Cloud Platform at no additional cost. Learn more about the requirements to use Edge Processor and how to request access if you do not already have it.
Filter Kubernetes data over HTTP Event Collector (HEC)
This video walks you through how to build a pipeline to filter noisy events from Kubernetes pods using the HTTP Event Collector (HEC). Before building your pipeline, learn how to get data into Edge Processor using HEC to receive Kubernetes data. Then, follow along to quickly and easily start using Edge Processor to monitor and analyze your Kubernetes clusters.
Mask sensitive information
Splunk Edge Processor can help protect sensitive information by masking incoming data, allowing your business to comply with data privacy regulations while ensuring the data remains secure. Watch the video for a demonstration of how masking logic can be applied on credit card information to extract the card number field and replace the value with a string of your choosing, ensuring that the data is secure. By using similar masking logic, organizations can protect any sensitive information, for example personally identifiable information (PII), from unauthorized access before the data is indexed in the Splunk platform.
Modify raw events to remove fields and reduce storage
Splunk Edge Processor is an effective tool to reduce the size of the payload and only index fields that provide high value. Watch the video to learn how to remove unwanted fields from a raw event and reconstruct it with a reduced number of fields to optimize storage in the Splunk platform. Similar logic can be used to drop as many fields as desired to reduce your storage footprint and improve performance.
Other use cases to explore
- Blog: Reduce and route logs for cost-effective storage
- Lantern: Reducing security firewall logs (PAN and Cisco)
- Supporting blog: Addition of syslog in Splunk Edge Processor supercharges security operations with Palo Alto firewall log reduction
- Supporting demo video: Security PAN firewall log reduction
- Lantern: Routing root user events to a special index
- Lantern: Masking IP addresses from a specific range
- Blog: Filter verbose data sources and transform content for Windows system events
- Lantern: Converting logs into metrics
Additional resources
- Join the #edge-processor Slack channel for direct support (request access: http://splk.it/slack)
- Website: Edge Processor resource hub
- Tech Talk: Introducing Splunk Edge Processor
- .conf22 slides: Edge Processor: Just the data you want, nothing more, nothing less
- Blog: Data preparation made easy: SPL2 for Edge Processor
- Edge Processor release notes