Parsing phase:-Data arrives at this segment from the input segment.

This segment is where event

processing occurs (where Splunk Enterprise analyzes data into logical components).

After data is parsed, it moves to the next segment of the pipeline, indexing.

Parsing of external data can occur on either an indexer or a heavy forwarder.

Parsing can also occur on other components under limited circumstances:

Various components, such as search heads and indexer cluster master nodes, process their own internal
data. When doing so, they perform parsing locally.

When a universal forwarder ingests structured data, it performs the parsing locally. The indexer does not
further parse the structured data.

indexing:-The repository for data. When the Splunk platform indexes raw data, it transforms the data
into searchable events.

Indexes reside in flat files on the indexer.

There are two types of indexes:

Events indexes. Events indexes are the default type of index. They can hold any type of data.

Metrics indexes. Metrics indexes hold only metric data.

verb

In general, the act of processing raw data and adding the processed data to an index.
Specifically, indexing is the third segment of the data pipeline, in which the indexer takes parsed events
and writes them to the search index on disk.

Sourcetype:- sourcetype is “a default field that identifies the data structure of an event. A source type
determines how Splunk Enterprise formats the data during the indexing process.”

The heart of Splunk is index it collects data from any SOURCE:;-

Indexer—FACTORY

Data:- RAW material…break into the events as a time stamp and then Events are stored in to the indexe
where they can be search by writing the search query.

The three main components of Splunk:;

1. Indexer

2. Search Head

3. Forwarders