Field Extractions and Lookups
Great! You have reached the last chapter in Part 2, Data Administration. So far in Part 2, we have learned about getting the data into Splunk, adding input, and the parsing phase settings, and we have understood the phases of data traversal before it is written to disk. What we haven’t seen so far is the search phase, which is fundamental for all the work we have done so far in system admin (setting up Splunk) and right after, in the data admin part (tidying up the data and storing it in indexers).
After all, if you have everything set up right and data is indexed correctly, the users who are going to search the data are going to be the real business outcome. For example, if we have indexed sales, API logs, and system logs into Splunk, the respective users could use data to generate a monthly sales report and send it via email, and alert when an API isn’t available for service and/or security teams have found a vulnerability of a certain...
