Skip to main content
Splunk Lantern

Using ingest actions in Splunk Enterprise


You are a Splunk user who needs to be able to mask and filter your data easily. Ingest actions allow you to quickly author, preview, and deploy transformation rules at ingest time, through an intuitive user interface. These rulesets allow you to define one or more rules with a few clicks, allowing you to mask, truncate, route, or eliminate data without having to access the command line or hand write stanzas in configuration files.


The video shows you how to use ingest actions to:

  • Author, preview, and deploy transformation rules at ingest time.
  • Route data to a Splunk index or AWS S3 destination.
  • Anonymize account numbers and filter out events for a specific employee or location.
  • Manage, edit, or delete rulesets from the ingest actions menu page.

Next steps

This article has been brought to you by Splunk Education. We’ve learned that the strongest superheroes up-skill with Splunk Education. That’s why we are making Splunk training easier and more accessible than ever with more than 20 self-paced, free eLearning courses. You can start with foundational courses like Intro to Splunk or dive into more advanced courses like Search Under the HoodResult Modification, and many more. Enroll today so you have the skills to detect the good, the bad, and the unproductive.

In addition, these resources might help you understand and implement this guidance: