Overview of event processing
The Splunk platform indexes events, which are records of activity that reside in machine data. Events provide information about the systems that produce the machine data. The term event data refers to the contents of a Splunk platform index.
Here is a sample event:
172.26.34.223 - - [01/Jul/2017:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953
When Splunk software indexes events, it does the following tasks:
| Task | Link |
|---|---|
| Configures character set encoding | Configure character set encoding |
| Configures line breaking for multi-line events | Configure event line breaking |
| Identifies event timestamps and applies timestamps to events if they don't exist | Configure event timestamps |
Extracts a set of useful standard fields, such as host, source, and sourcetype
|
About default fields |
| Segments events | About event segmentation |
| Dynamically assigns metadata to events, if specified | Assign default fields dynamically |
| Anonymizes data, if specified | Anonymize data |
For an overview of the indexing process, see the Indexing overview chapter of the Managing Indexers and Clusters of Indexers manual.