Ingest actions is a feature for routing, filtering, and masking data while it is streamed to your indexers. Each data transformation is expressed as a rule. You can apply multiple rules to a data stream, and save the combined rules as a ruleset.

As an alternative option to using ingest actions, the Edge Processor solution is also a Splunk data transformation service. See Compare Ingest Actions to the Edge Processor solution for a comparison table.

The Ingest Actions page in Splunk Web allows you to dynamically preview and build rules, using sample data.

You can configure ingest actions for these deployment topologies:

• Indexer clusters. Configure and preview the ruleset from the cluster manager or from a connected search head, which proxies to the cluster manager. You then explicitly deploy the ruleset to the cluster peer nodes.
• Standalone indexers. Configure, preview, and save the ruleset directly on the indexer. The ruleset is effective immediately.
• Heavy forwarders via deployment server. Configure the ruleset on a deployment server. The deployment server automatically deploys the ruleset to heavy forwarders configured as deployment clients.
• Standalone heavy forwarders. Configure and save the ruleset directly on the forwarder. The ruleset is effective immediately.
• Splunk Cloud Platform. Configure and preview the ruleset from your search head. In the case of the Victoria Experience, the ruleset will be deployed automatically to the indexers. In the case of the Classic Experience, you need to explicitly deploy the ruleset.