The ingest layer () in Splunk Enterprise and Splunk Cloud Platform is responsible for receiving, parsing, and routing incoming data before indexing. It handles input collection (S2S, HEC, syslog, files), line breaking, timestamp extraction, metadata assignment (sourcetype, source, host), load balancing, compression, and delivery acknowledgments.  The ingest layer ensures data correctness, durability, and efficient distribution to indexers for search and analytics.

Heavy Forwarder has been the authoritative runtime for ingest-time processing in Splunk, handling timestamp extraction, line breaking, delivery guarantees, load balancing, and the parsing logic embedded in Technical Add-ons (TAs). This logic is foundational for data correctness, durability, and trust.  When Splunk Edge Processor was launched, it introduced a modern, scalable architecture built for distributed data processing.

Reimplementing the ingest logic feature-by-feature is not a long-term strategy for Edge Processor.  At Splunk we are taking an easier approach for organizations.

A New Model: Heavy Forwarder + Edge Processor, Working Together

Instead of replacing Heavy Forwarder, we’re integrating it with Edge Processor.  We are introducing what we call a unified Intermediate Forwarding Tier (IFT), a hybrid architecture where Heavy Forwarder and Edge Processor run side-by-side on the same node.  Each component does what it does best:

• Heavy Forwarder remains the source of truth for line breaking, timestamp extraction, delivery semantics, and load balancing.
• Edge Processor executes modern, flexible SPL2 pipelines and advanced transformations downstream.

This isn’t a workaround.  It’s a strategic convergence.  Customers currently use a Heavy Forwarder in front of the Edge Processor in their pipelines to get certain linebreaking rules and timestamp creation, passing the data on to Edge Processor for further processing.  This leads to more overhead, administration and cost for their data pipelines.

Moving to Edge Processor shouldn’t require rewriting the foundations of your data platform. Today, many customers face a difficult tradeoff:

• Keep Heavy Forwarders to preserve ingest guarantees
• Or move to Edge Processor and re-author parsing logic in SPL2

With a unified IFT these tradeoffs are eliminated.  Customers get:  

• Timestamp extraction matching Heavy Forwarder behavior
• All splunk-supported line-breaking rules are honored
• Existing props.conf and transforms.conf logic can be reused
• No forced SPL2 rewrites are required for existing TAs

This minimizes any disruption moving to using Edge Processor. Data ingestion is not just plumbing. By keeping Heavy Forwarder in the ingest path, we preserve those guarantees while unlocking new capabilities. Whether you manage hundreds of Heavy Forwarders, operate complex TA ecosystems, or require strict compliance around ingest behavior, the unified IFT architecture meets you where you are. 

Join the Preview: The Next Evolution of Ingest Is Here

Modernizing your ingest architecture shouldn’t mean rewriting years of trusted configuration.  For many customers, that tradeoff hasn’t made the adoption of Splunk Edge Processor easy. While Edge Processor delivers powerful SPL2-based transformation and routing capabilities, enterprises rely on decades of ingest logic built into Splunk Enterprise Heavy Forwarder (Heavy Forwarder).  These are not optional capabilities. They are foundational to data integrity and operational trust.  Today, we’re excited to invite you to preview this major step forward.  The will run for approximately 12 weeks.  Customers can expect:

• Guided onboarding
• Direct access to product and engineering teams
• Structured feedback sessions
• Support for testing key ingest behaviors

Customer Profile

The program is limited to certain customer profiles.  Customers who sign up will:

1. Need to be using Edge Processor on Splunk Cloud Platform.
2. Be familiar with SPL2.
3. Use or be willing to test with Splunk to Splunk (S2S) source/destination.How to sign up:

The program will run for 10-12 weeks. It will begin March 15, 2026, and end June 16, 2026. Customers will be expected to provide feedback and log bugs so that the engineering team can address them in the final release.

Customers can go to the Voice of the Customer portal or directly to the Alpha Preview link to sign up. Once there, they can fill out the survey, and we will contact you as we get closer to March 15.