Requirements

Indexer cluster

  • Requires access to Splunk Web on the cluster manager or on a connected search head as the admin role, or as a member of a role with the list_ingest_rulesets and edit_ingest_rulesets capabilities.
CAUTION: If accessing an indexer cluster through a search head, the search head must be connected to only a single indexer cluster.

Standalone indexer

  • Requires access to Splunk Web as the admin role, or as a member of a role with the list_ingest_rulesets and edit_ingest_rulesets capabilities.
  • The standalone indexer cannot be configured to also function as a deployment server.

Heavy forwarders managed through a deployment server

  • Requires access to Splunk Web on the deployment server as the admin role, or as a member of a role with the list_ingest_rulesets and edit_ingest_rulesets capabilities.
  • The deployment server must be dedicated to the ingest actions heavy forwarder tier. It cannot service any other deployment clients.
  • Any rules created on the deployment server will apply only to the deployment clients, not to the deployment server itself (as, for example, if the deployment server is also functioning in some capacity as a standalone indexer).
  • The heavy forwarders must be preconfigured as deployment clients of the deployment server where the data ingest configuration occurs. For information on configuring deployment clients, see Configure deployment clients.
  • For the live capture feature on the deployment server, a maximum of ten heavy forwarders are used to collect sample events. When deploying Ingest Action rulesets from a deployment server to a fleet of deployment clients, Splunk supports a soft limit of up to 1,000 heavy forwarders.
  • The Ingest Actions page on the deployment server automatically creates the IngestAction_AutoGenerated server class and assigns that class to the forwarders.
  • If you want the heavy forwarders to send data to an S3 destination, you must configure the S3 destination on each of the heavy forwarders individually, either through the Ingest Actions page on each forwarder or through an outputs.conf file on each forwarder. You cannot configure the destination on the deployment server. To configure the destination on the Ingest Actions page, the heavy forwarders require access to Splunk Web as the admin role, or as a member of a role with the list_ingest_rulesets and edit_ingest_rulesets capabilities.

Standalone heavy forwarder

  • Requires access to Splunk Web as the admin role, or as a member of a role with the list_ingest_rulesets and edit_ingest_rulesets capabilities.

Splunk Cloud Platform

  • Available for Splunk Cloud on AWS, GCP, and Azure.
    • Availability for Splunk Cloud on GCP is limited to deployments running version 9.1.2312 or higher.
    • Availability for Splunk Cloud on Azure is limited to deployments running version 9.3.2408 or higher.
    • Routing is only supported to a default Splunk destination for Ingest Actions on GCP or Azure.
    • Routing to S3 or a default Splunk destination is available for Ingest Actions on AWS. Routing to GCP or Azure destinations is not supported on AWS.
  • Requires access to Splunk Web on the search head as the sc_admin role, or as a member of a role with the list_ingest_rulesets and edit_ingest_rulesets capabilities.