Using ingest actions in Splunk Enterprise
You are a Splunk user who needs to be able to mask and filter your data easily. Ingest actions allow you to quickly author, preview, and deploy transformation rules at ingest time, through an intuitive user interface. These rulesets allow you to define one or more rules with a few clicks, allowing you to mask, truncate, route, or eliminate data without having to access the command line or hand write stanzas in configuration files.
Solution
The video shows you how to use ingest actions to:
- Author, preview, and deploy transformation rules at ingest time.
- Route data to a Splunk index or AWS S3 destination.
- Anonymize account numbers and filter out events for a specific employee or location.
- Manage, edit, or delete rulesets from the ingest actions menu page.
Next steps
In addition, these resources might help you understand and implement this guidance:
- Splunk Docs: Use ingest actions to improve the data input process
- Product tip: Sampling data with ingest actions for data reduction
- Product tip: Reducing low-value data ingestion to improve license usage