Both Splunk Enterprise and Splunk Cloud Platform offer a variety of data management capabilities and services to process and transform your data prior to indexing. See more details for each available solution in the table below.
Ingest Processor
Edge Processor on Splunk Cloud Platform
Edge Processor on Splunk Enterprise
Ingest Actions
Platform availability
Splunk Cloud Platform
Splunk Cloud Platform
Splunk Enterprise (version 10.0 and up)
Splunk Cloud Platform and Splunk Enterprise
Description
Ingest Processor is a Splunk Cloud Platform capability that allows you to process data using SPL2 at the time of data ingestion.
About Ingest Processor
Edge Processor is a Splunk product that allows you to process data using SPL2 before you send that data out of your network to external destinations. You use a Splunk-managed cloud service to deploy and manage on-premises Edge Processors at the edge of your network.
About Edge Processor on Splunk Cloud Platform
Edge Processor is a Splunk product that allows you to process data using SPL2 before you send that data out of your network to external destinations. You use a centralized control plane hosted within your Splunk Enterprise deployment to deploy and manage on-premises Edge Processors at the edge of your network.
About Edge Processor on Splunk Enterprise
Ingest actions is a feature for routing, filtering, and masking data while it is streamed to your indexers.
Use Ingest Actions
Access
Requires activation for Splunk Cloud Platform users. Ask a Splunk sales representative for access to the Ingest Processor solution if you are already a Splunk Cloud Platform user.
Request Ingest Processor on your Splunk Cloud Platform stack
First-time setup instructions for Ingest Processor solution
Requires activation for Splunk Cloud Platform users. Ask a Splunk sales representative for access to the Edge Processor solution if you are already a Splunk Cloud Platform user.
Get started with the Edge Processor solution
Requires an administrator to set up a data management control plane in your Splunk Enterprise deployment, and then enable the Edge Processor service on this control plane.
Set up a data management control plane
First-time setup instructions for the Edge Processor solution
Requirements vary depending on your deployment topology. In general, you must have access to Splunk Web as either the admin or sc_admin role, or be a member of a role with the list_ingest_rulesets and edit_ingest_rulesets capabilities.
Access the Ingest Actions page
Cost
Two pricing tiers based on ingestion volume:
Ingest Processor subscription tiers
Included with Splunk Cloud Platform
Included with Splunk Enterprise
Included with Splunk Cloud Platform and Splunk Enterprise
Supported data sources
All data sources supported by Splunk Cloud Platform deployments on Victoria Experience.
- Forwarders
- HTTP clients and logging applications through the HTTP Event Collector (HEC)
- Syslog devices
- Splunk Connect for Syslog (SC4S)
Get data into Edge Processors
- Forwarders
- HTTP clients and logging applications through the HTTP Event Collector (HEC)
- Syslog devices
- Splunk Connect for Syslog (SC4S)
Get data into Edge Processors
All data sources supported by the Splunk platform.
Supported data destinations
- Amazon S3 (new-line JSON and parquet)
- Indexes on the same Splunk Cloud Platform deployment as Ingest Processor
- Splunk Observability Cloud
Send data out from Ingest Processor
- Amazon S3 (new-line JSON and parquet)
- Splunk Enterprise
- Splunk Cloud Platform
Send data out from Edge Processors
- Amazon S3 (new-line JSON in all versions and parquet in version 10.2 and up)
- Splunk Enterprise
- Splunk Cloud Platform
Send data out from Edge Processors
-
Amazon S3
-
Splunk Enterprise
-
Splunk Cloud Platform
-
Local file system
Transformation capabilities
Relies on Splunk Search Processing Language, version 2 (SPL2), which allows you to create tightly defined logic to transform data through pipelines.
Relies on Splunk Search Processing Language, version 2 (SPL2), which allows you to create tightly defined logic to transform data through pipelines.
Relies on Splunk Search Processing Language, version 2 (SPL2), which allows you to create tightly defined logic to transform data through pipelines.
Transforms data through rulesets, which are defined through drop-down menu options, offering more ease of use but less detailed options.
Where data processing takes place
In Splunk Cloud Platform
At the edge of your network, close to the data source.
At the edge of your network, close to the data source.
On your heavyweight forwarder or indexers
Data Processing Capabilities
-
Filter and mask
-
Hash fields
-
Enrich with lookups
-
Extract fields
-
Extract timestamps
-
Extract JSON fields
-
Generate logs into metrics
-
Convert to OCSF format
-
Decrypt data
-
Aggregate event data
-
Filter and mask
-
Hash fields
-
Enrich with lookups
-
Extract fields
-
Extract timestamps
-
Convert to OCSF format
-
Decrypt data
-
Aggregate event data
-
Filter and mask
-
Hash fields
-
Enrich with lookups
-
Extract fields
-
Extract timestamps
- Filter and mask
- Specify index
- Route to destination
Create a ruleset with the Ingest Actions page
Release frequency
Releases outside of Splunk Cloud Platform
Releases monthly
Releases alongside Splunk Enterprise
Releases alongside Splunk Enterprise and Splunk Cloud Platform
Documentation
Use Ingest Processors
Ingest Processor Solution Release Notes
Use Edge Processors for Splunk Cloud Platform
Edge Processor Solution Release Notes
Edge Processor Validated Architecture
Use Edge Processors for Splunk Enterprise
Splunk Enterprise Release Notes
Use Ingest Actions
Splunk Enterprise Release Notes
Splunk Cloud Platform Release Notes