Requires access to Splunk Web on the search head as the sc_admin role, or as a member of a role with the list_ingest_rulesets and edit_ingest_rulesets capabilities. Available for Splunk Cloud on AWS only. The heavy forwarder must be running Splunk Enterprise for Linux. To configure the destination on the Ingest Actions page, the heavy forwarders require access to Splunk Web as the admin role, or as a member of a role with the list_ingest_rulesets and edit_ingest_rulesets capabilities. You cannot configure the destination on the deployment server. If you want the heavy forwarders to send data to an S3 destination, you must configure the S3 destination on each of the heavy forwarders individually, either through the Ingest Actions page on each forwarder or through an nf file on each forwarder. The Ingest Actions page on the deployment server automatically creates the IngestAction_AutoGenerated server class and assigns that class to the forwarders. For information on configuring deployment clients, see Configure deployment clients. The heavy forwarders must be preconfigured as deployment clients of the deployment server where the data ingest configuration occurs. Any rules created on the deployment server will apply only to the deployment clients, not to the deployment server itself (as, for example, if the deployment server is also functioning in some capacity as a standalone indexer). It cannot service any other deployment clients. The deployment server must be dedicated to the ingest actions heavy forwarder tier. A maximum of ten heavy forwarders is supported. Requires access to Splunk Web on the deployment server as the admin role, or as a member of a role with the list_ingest_rulesets and edit_ingest_rulesets capabilities. The heavy forwarders and deployment server must each be running Splunk Enterprise for Linux. Heavy forwarders managed through a deployment server The standalone indexer cannot be configured to also function as a deployment server. Requires access to Splunk Web as the admin role, or as a member of a role with the list_ingest_rulesets and edit_ingest_rulesets capabilities. The indexer must be running Splunk Enterprise for Linux. Requires access to Splunk Web on the cluster manager or on a connected search head as the admin role, or as a member of a role with the list_ingest_rulesets and edit_ingest_rulesets capabilities. All nodes on the indexer cluster must be running Splunk Enterprise for Linux. In the case of the Classic Experience, you need to explicitly deploy the ruleset. In the case of the Victoria Experience, the ruleset will be deployed automatically to the indexers. 
Configure and preview the ruleset from your search head. Configure and save the ruleset directly on the forwarder. The deployment server automatically deploys the ruleset to heavy forwarders configured as deployment clients. Configure the ruleset on a deployment server. Heavy forwarders via deployment server.Configure, preview, and save the ruleset directly on the indexer.
You then explicitly deploy the ruleset to the cluster peer nodes. Configure and preview the ruleset from the cluster manager or from a connected search head, which proxies to the cluster manager. You can configure ingest actions for these deployment topologies: The Ingest Actions page in Splunk Web allows you to dynamically preview and build rules, using sample data. You can apply multiple rules to a data stream, and save the combined rules as a ruleset. Each data transformation is expressed as a rule. Ingest actions is a feature for routing, filtering, and masking data while it is streamed to your indexers. Use ingest actions to improve the data input process
0 kommentar(er)
