Splunk Concepts: Difference between revisions
(8 intermediate revisions by the same user not shown) | |||
Line 4: | Line 4: | ||
=Event= | =Event= | ||
{{ExternalLabel|https://docs.splunk.com/Splexicon:Event|event}} | |||
=Segment= | =Segment= | ||
Line 24: | Line 26: | ||
Splunk extracts [[#Field|fields]] from [[#Event|events]] when indexing. | Splunk extracts [[#Field|fields]] from [[#Event|events]] when indexing. | ||
==Index== | |||
The ''index'' is the repository for data. During the ''indexing'' process, the raw event data are transformed into searchable [[#Event|events]], and the data that allows searching reside in flat index files on the Splunk instance known as ''indexer''. | |||
{{ExternalLabel|https://docs.splunk.com/Splexicon:Index|index}} | |||
===All Indexes=== | |||
To get the list of all available indexes: | |||
<pre> | |||
| eventcount summarize=false index=* index=_* | dedup index | fields index | |||
</pre> | |||
=Searching= | =Searching= | ||
=Search= | |||
{{External|https://docs.splunk.com/Splexicon:Search}} | |||
{{External|http://docs.splunk.com/Documentation/Splunk/6.6.1/Search/Usethesearchcommand}} | |||
A ''search'' has the same semantics as the query. | |||
=Forwarding Agent= | =Forwarding Agent= | ||
Line 38: | Line 62: | ||
In most respects, the universal forwarder represents the best tool for forwarding data to indexers. Its main limitation is that it forwards only unparsed data. Therefore, you cannot use it to route data based on event contents. For that, you must use a heavy forwarder. | In most respects, the universal forwarder represents the best tool for forwarding data to indexers. Its main limitation is that it forwards only unparsed data. Therefore, you cannot use it to route data based on event contents. For that, you must use a heavy forwarder. | ||
=Search Processing Language (SPL)= | |||
{{Internal|Splunk_Search_Processing_Language#Overview|Search Processing Language (SPL)}} |
Latest revision as of 22:36, 18 September 2024
Internal
Event
Segment
Field
A field is a named piece of information. Spunk can parse fields with a fixed, delimited position on a line, name/value pair where there is a single value for each field, or a name/value pair where there is more than one value (example: the To: e-mail address field).
Fields are searchable. For more details on searching with fields, see Searching with Fields.
Default Fields
Selected Fields
Interesting Fields
Tag
Indexing
Splunk extracts fields from events when indexing.
Index
The index is the repository for data. During the indexing process, the raw event data are transformed into searchable events, and the data that allows searching reside in flat index files on the Splunk instance known as indexer.
All Indexes
To get the list of all available indexes:
| eventcount summarize=false index=* index=_* | dedup index | fields index
Searching
Search
A search has the same semantics as the query.
Forwarding Agent
A forwarding agent is a Splunk instance that forwards data to another Splunk instance (an indexer or another forwarder) or to a third-party system. The forwarding agent is a minimalistic service that forwards information as close to real time as possible.
There are three types of forwarders:
- A universal forwarder is a streamlined, dedicated version of Splunk that contains only the essential components needed to forward data.
- A heavy forwarder is a full Splunk instance, with some features disabled to achieve a smaller footprint.
- A light forwarder is also a full Splunk instance, with most features disabled to achieve as small a footprint as possible. The universal forwarder, with its even smaller footprint yet similar functionality, supersedes the light forwarder for nearly all purposes.
In most respects, the universal forwarder represents the best tool for forwarding data to indexers. Its main limitation is that it forwards only unparsed data. Therefore, you cannot use it to route data based on event contents. For that, you must use a heavy forwarder.