Ingest Actions: Data Access When, Where and How You Need It

One of the most exciting things about any .conf is the opportunity to unveil the new products and features we’ve built since last year’s event. This year, we return to our virtual conference center having completed two acquisitions and delivered over 43 major releases — and hundreds of smaller enhancements — across the product portfolio.

One of the most powerful changes we’ve announced to the Splunk platform is the way that our data ingest capabilities set up users for more intelligent investigation and decisive, effective action.

A hallmark of the last decade, at least, is the problem of having so much data, you can’t really make sense of any of it. Organizations need to be able to tap the right data to support business goals, to have mission-critical operational and event data at hand, and always while maintaining compliance and data integrity. You should not be forced to leave data behind and create unnecessary blindspots. Just the opposite. You should have greater visibility. 

Working effectively with growing volumes of data is now simpler, thanks to Ingest Actions, a new capability that’s currently available in beta.* Ingest actions allows users to rapidly author, preview and deploy transformation rules at ingest-time with an intuitive user interface. Customers will also now be able to instantly route data to external S3-compliant destinations for archival or audit purposes. With Ingest Actions, users can focus on bringing their high value data to Splunk, and ensure that data is available at the right time, in the right places, and in the right structure.

Data masking, filtering and routing are all done with simple clicks — no writing command lines, or hand-writing stanzas in configuration files. A common use case we see for data masking is removing sensitive information such as user names. With the new Ingest Actions feature, you simply click to add a new rule, specify what needs to be redacted, and the expression you want to mask it with. You can iterate quickly and validate rules before deploying it in a distributed environment.

Filtering and routing data is also equally easy. Simply select which subset of data you want to route to a S3 destination and deploy with a click! You have now filtered out your less important data, while ensuring that you have access to it should a need arise, such as a security or compliance audit 6 months down the road.  

Ingest Actions makes it effortless to manage and deploy transformation rules at ingest-time so that you can make the best decision on how to leverage Splunk. Ingest Actions is available in a preview and customers are testing it in their environments right now. It’s another way that we’re improving the Splunk platform and the user experience, all to let users focus on bringing in more data to Splunk, to drive great insights and effective actions.

*Features available in preview for Splunk Enterprise are accessible via the Splunk Enterprise Beta program. For the purposes of this release, preview and beta are used interchangeably.

Follow all the conversations coming out of #splunkconf21!

Izzy Park
Posted by

Izzy Park

Izzy Park is Director of Product Management, Core Products at Splunk.

Show All Tags
Show Less Tags