Best practices for sending data from an Edge Processor to a dataset
Follow these best practices to ensure that the events you send out from your Edge Processors are compatible with federated searches.
In Splunk Cloud Platform deployments that are on version 10.4.2604 or higher, you can send data from Edge Processors to datasets that can be used as both pipeline destinations and data sources for federated searches.
To ensure that the events in these datasets can be retrieved by federated searches, follow these best practices:
| Best practice | Rationale |
|---|---|
| Do not send events that have different schemas to the same dataset. |
Inconsistent event schemas can prevent federated searches from being able to retrieve all of the intended data. Data processing actions that impact event schemas include the following: adding a field, removing a field, renaming a field, or converting the data type of a field. |
|
For events that match a known source type, process those events using a pipeline that's created from a template instead of a custom-configured pipeline. See Use templates to create pipelines for Edge Processors for more information. |
Templates are designed to maintain standardized schemas for events that are associated with known source types. Additionally, when you send out data that uses Parquet format, templates can ensure that the schema of the resulting Parquet output is at least partially compatible with federated searches. |
See also
For information about sending data from an Edge Processor to a dataset, see the following pages: