Creating index-time field extractions
Indexed extractions, also referred to as index-time field extractions, involve the systematic extraction of specific fields from raw data during the parsing phase of the data ingestion journey. These extractions are defined and implemented by data administrators, who specify the fields to be extracted. As part of this process, the extracted fields are not only captured but also persistently stored within the designated index, ensuring their long-term availability for subsequent analysis and retrieval.
If you recall from Chapter 8, in the Data indexing phases section, we learned about input, parsing, and indexing.
There is a special case for structured data: at input time, setting INDEXED_EXTRACTIONS in props.conf and deploying to a Universal Forwarder (UF) stores the fields in an index. In this case, data doesn’t go through the parsing phase; it skips it and goes directly to the indexing phase. Let’s look at the important facts...
