10 Data Parsing and Transformation

The first phases of the data journey is the input phase, which we discussed in detail in Chapter 9, Configuring Splunk Data Inputs. Data parsing is the second phase, followed by data being indexed on the disk. This chapter deals with the parsing phase, which comes right after the input phase and ends by handing over the data to the index phase for storage and preparation for data searching.

The question that might arise is what the need for the parsing phase is, as all the data has been collected, the metadata fields are set during the input phase, and finally, data is forwarded to indexers for indexing. The prominent features of the parsing phase are breaking the whole data stream into individual events, extracting ...

Get Splunk 9.x Enterprise Certified Admin Guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Splunk 9.x Enterprise Certified Admin Guide by Srikanth Yarlagadda

10

Data Parsing and Transformation

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly