Database Reference
In-Depth Information
Indexing data with Splunk
When we processed the data file in the previous chapter, we uploaded the data and Splunk
processed and indexed the data. It is worthwhile to examine a bit further what happens
when indexing takes place:
1. To create an index actually requires two steps: parsing and indexing. The parsing
part includes the adding of metadata that always includes the host, source, and
sourcetype. The indexing portion takes the events, splits them into searchable seg-
ments, and finally creates the index and raw data files.
2. After this happens, the data can then be easily searched through Splunk. The fol-
lowing screenshot shows how the data is brought into Splunk by forwarders. A for-
warder takes data from a source, such as a web server, and then sends it to a full in-
stance of Splunk:
This diagram shows how Splunk uses forwarders to take data from complex IT in-
frastructures and then sends it to be indexed and searched.
