Access and edit the Ingest Actions page

The process of accessing the Ingest Actions page varies slightly depending on the deployment topology.

On indexer clusters

For Splunk Enterprise indexer clusters, you can create a ruleset either on the cluster manager or on a connected search head. In the case of a connected search head, the search head proxies the configuration to the cluster manager. When finished, you then explicitly deploy the ruleset configuration to the set of peer nodes.

Perform these steps:

  1. On the cluster manager or connected search head, select Settings > Data > Ingest Actions.
  2. If routing to S3, add an S3 destination through the Destinations tab.
  3. Through the Rulesets tab:
    1. Provide a ruleset name and description.
    2. In the Event Stream, provide a source type for the data preview.
    3. Add a rule. Descriptions are provided below.
    4. Use the data preview to review the impact of the rule on your data source.
    5. Add additional rules as needed.
    6. Save your rules in the ruleset.
  4. Once the ruleset has been saved, either directly on the cluster manager or through the search head, you must deploy the ruleset to the set of peer nodes. See Deploy a ruleset on an indexer cluster.
  5. Use Splunk Search to validate the changes to your data.
Note: If you edit or delete an existing destination, the peer nodes will not undergo a rolling restart when the changes are deployed.

On standalone indexers

For Splunk Enterprise indexers, perform these steps to create a ruleset:

  1. On the indexer, select Settings > Data > Ingest Actions.
  2. If routing to S3, add an S3 destination through the Destinations tab.
  3. Through the Rulesets tab:
    1. Provide a ruleset name and description.
    2. In the Event Stream, provide a source type for the data preview.
    3. Add a rule. Descriptions are provided below.
    4. Use the data preview to review the impact of the rule on your data source.
    5. Add additional rules as needed.
    6. Save your rules in the ruleset. The updates are effective immediately on the indexer.
  4. Use Splunk Search to validate the changes to your data.
Note: If you edit or delete an existing destination, you do not need to restart the instance for the changes to take effect.

On heavy forwarders managed through a deployment server

For Splunk Enterprise heavy forwarders managed through a deployment server, perform these steps to create a ruleset:

  1. On the deployment server, select Settings > Data > Ingest Actions.
  2. If routing to S3, add an S3 destination directly on each heavy forwarder, as described in the note below.
  3. Through the Rulesets tab:
    1. Provide a ruleset name and description.
    2. In the Event Stream, provide a source type for the data preview.
    3. Add a rule. Descriptions are provided below.
    4. Use the data preview to review the impact of the rule on your data source.
    5. Add additional rules as needed.
    6. Save your rules in the ruleset. The deployment server saves the ruleset in the splunk_ingest_actions app for the IngestAction_AutoGenerated server class. It then automatically deploys the app to all members of the IngestAction_AutoGenerated server class, first adding all forwarders to that class, if necessary. The ruleset takes effect immediately.
  4. Use Splunk Search to validate the changes to your data.
Note: If you want the heavy forwarders to send data to an S3 destination, you must configure the destination individually on each heavy forwarder prior to creating the ruleset on the deployment server. Select Settings > Data > Ingest Actions on each heavy forwarder and configure the destination. You can alternatively create the destination in outputs.conf on each forwarder.

If you edit or delete an existing destination, you do not need to restart the forwarder for the changes to take effect.

On standalone heavy forwarders

For Splunk Enterprise heavy forwarders, perform these steps to create a ruleset:

  1. On the heavy forwarder, select Settings > Data > Ingest Actions.
  2. If routing to S3, add an S3 destination through the Destinations tab.
  3. Through the Rulesets tab:
    1. Provide a ruleset name and description.
    2. In the Event Stream, provide a source type for the data preview.
    3. Add a rule. Descriptions are provided below.
    4. Use the data preview to review the impact of the rule on your data source.
    5. Add additional rules as needed.
    6. Save your rules in the ruleset. The updates are effective immediately on the heavy forwarder.
  4. Use Splunk Search to validate the changes to your data.
Note: If you edit or delete an existing destination, you do not need to restart the forwarder for the changes to take effect.

On Splunk Cloud Platform

For Splunk Cloud Platform, perform these steps to create a ruleset:

  1. On the search head, select Settings > Data > Ingest Actions. In some circumstances, you might need to first select the "Show All Settings" button under Settings.
  2. If routing to S3, add an S3 destination through the Destinations tab.
  3. Through the Rulesets tab:
    1. Provide a ruleset name and description.
    2. In the Event Stream, provide a source type for the data preview.
    3. Add a rule. Descriptions are provided below.
    4. Use the data preview to review the impact of the rule on your data source.
    5. Add additional rules as needed.
    6. Save your rules in the ruleset. In the case of the Victoria Experience, the ruleset deploys immediately. In the case of the Classic Experience, you must explicitly deploy the ruleset with the Deploy button at the top right of the Ingest Actions page.
  4. Use Splunk Search to validate the changes to your data.