HTTP/2 200 date: Thu, 24 Jul 2025 23:35:33 GMT content-type: text/html; charset=UTF-8 server: Apache set-cookie: Apache=7aac9b5a.63ab5480a2a58; path=/; expires=Fri, 20-Jul-40 23:35:32 GMT; domain=.splunk.com x-frame-options: SAMEORIGIN strict-transport-security: max-age=31536000; includeSubDomains; preload x-content-type-options: nosniff set-cookie: PHPSESSID=64422a6e4af4fd119a0921196ba566b7; path=/ expires: Thu, 01 Jan 1970 00:00:00 GMT cache-control: private, must-revalidate, max-age=0 pragma: no-cache set-cookie: ponydocs_session=64422a6e4af4fd119a0921196ba566b7; path=/; secure; HttpOnly content-language: en x-ua-compatible: IE=Edge vary: Accept-Encoding,Cookie x-xss-protection: 1; mode=block referrer-policy: strict-origin-when-cross-origin

event processing

event processing

noun

Event processing covers everything that happens to your data between the time you define an input and the time the data appears in the Splunk index. At index time, Splunk software organizes and structures your data, including processing multiline events, extracting important fields such as the timestamp, and compressing the data.

The Splunk Web data preview tool is available in both Splunk Enterprise and Splunk Cloud Platform. Data preview lets you configure the format of your event data before processing. Use it to see how your processed events will look and make adjustments to improve the formatting of the data.

In Splunk Enterprise, you can configure and customize event processing using configuration files.

After the data is in the index, you can add additional knowledge to your events, such as fields, tags, and event types.

For more information

In Getting Data In:

• Overview of event processing
• Assign the correct source types to your data

Retrieved from "https://docs.splunk.com/index.php?title=Splexicon:Eventprocessing&oldid=1324600"

• *
• A
• B
• C
• D
• E
• F
• G
• H
• I
• J
• K
• L
• M
• N
• O
• P
• R
• S
• T
• U
• V
• W

*

• *nix

A

• action
• ad hoc search
• ad hoc search head
• ad-hoc risk entry
• adaptive response action
• add-on
• agent
• agent management
• agent manager

• alert
• alert action
• alias
• allow list
• analytic stories
• annotations
• app
• app key value store
• app manifest

• archiving
• artifact
• asset
• attribute
• audit event
• audit index
• automatic key value field extraction

B

• base search
• blacklist (no longer in use)

• Bloom filter
• bucket

• bucket fixing
• Build Event Type utility

C

• cache manager
• calculated field
• capability
• captain
• character set encoding
• cluster
• clustering
• collection

• command-line interface
• command-line tool
• Common Information Model (CIM)
• complete
• component
• conditional routing
• conf file
• configuration bundle

• configuration file
• connector
• constraint
• contributing event
• correlation search
• counter metric

D

• dashboard
• dashboard editor
• data cloning
• data distribution
• data model
• data model acceleration
• data model dataset
• Data Model Editor
• data orchestrator
• data pipeline
• data routing

• data series
• dataset
• dataset processing command
• decommissioning
• default field
• default group
• deny list
• deployer
• deployment
• deployment app
• deployment client

• deployment server
• detection
• dimension
• disposition
• Distributed management console
• distributed search
• distribution
• drilldown
• dynamic captain

E

• embedded report
• enclaves
• enforcement
• Enterprise support
• entity zone

• event
• event annotation
• event data
• event pattern
• event processing

• event type
• event type builder
• extend (dataset)
• external data
• extracted field

F

• federated index
• federated provider
• federated search
• federated search head
• field
• field aliasing
• field discovery

• field extraction
• field extractor
• file system change monitor
• filtering
• finalize
• fishbucket
• form

• forwarder
• forwarder management
• forwarding
• forwarding license
• fschange

G

• gateway forwarder
• generating command

• generation
• generation ID

• Global support

H

• heavy forwarder
• high performance analytics store

• historical search
• host

• hybrid search

I

• identity
• incident
• incident type
• index
• index files
• index parallelization
• index replication
• index time
• indexed field
• indexed real-time search
• indexer

• indexer acknowledgment
• Indexer cluster
• indexer cluster node
• indexer clustering
• indexer discovery
• indexQueue
• indicator
• inline field extraction
• input
• Inputs Data Manager
• instance

• instrumentation
• intelligence workflow
• intention
• intermediate forwarder
• intermediate reducer
• internal field
• investigation
• investigation status
• IT data

J

• job

• job inspector

K

• key indicator searches
• key indicators
• knowledge

• knowledge bundle
• knowledge manager
• knowledge object

• KV store
• KV store captain

L

• lexicon
• license
• license group
• license manager
• license master (no longer in use)

• license peer
• license pool
• license slave (no longer in use)
• license stack
• light forwarder

• load balancing
• logging verbosity
• lookup
• lookup definition

M

• major breaker
• manager node
• master node (no longer in use)
• measurement
• metric
• metric data point

• metric time series
• minor breaker
• modular input
• module (ITSI)
• module (SOAR)
• module (SPL2)

• monitor
• monitoring console
• multiline event
• multisite indexer cluster
• multivalue field

N

• non-searchable
• non-streaming command

• normalized score
• notable event

• nullQueue

O

• object
• observable

• orchestrating command
• output group

P

• Packaging Toolkit
• panel
• panel type
• parallel reduce
• parsing
• parsingQueue
• partitioning
• passthru score
• peer node

• per-result alert
• permissions
• persistent queue
• pipe operator
• pipeline set
• pivot
• Pivot Editor
• platform alert
• playbook

• playbook editor
• prebuilt panel
• premium search head
• primacy
• primary
• Priority score
• punct

R

• rawdata journal
• real-time alert
• real-time search
• realm
• receiver
• receiving
• receiving port
• reduced bucket
• relative search
• relative time modifier
• replicated data

• replication factor
• replication port
• report
• report acceleration
• reporting command
• required text
• response action
• response plan
• response template
• REST API
• result

• risk factor
• risk factor editor
• risk message
• risk modifier
• risk notable
• risk object
• risk rule
• risk score
• role
• rolling-window alert

S

• saved search
• scheduled alert
• scheduled report
• scheduled search
• scheduler
• scripted authentication
• scripted input
• search
• search affinity
• Search app
• search artifact
• search assistant
• search execution directive
• search factor
• search field
• search filter
• search head
• search head cluster
• search head cluster captain
• search head cluster member
• search head clustering
• search head pooling
• search head targeting
• search job
• Search Job Inspector

• search macro
• search management
• search mode
• search peer
• search peer replication
• Search Processing Language
• search scheduler
• search time
• search timeline
• search view
• searchability
• searchable
• segment
• send to background
• sequence template
• series
• server
• server class
• Settings
• SignalFlow
• SignalFx Smart Agent receiver
• Simple XML
• single-instance deployment
• single-site indexer cluster
• SmartStore

• source
• source type
• span
• span tag
• SPL
• SPL2
• SPL2 statement
• Splunk Answers
• Splunk Distribution of OpenTelemetry Collector
• Splunk OpenTelemetry Collector
• Splunk platform
• Splunk UI
• Splunk Web
• Splunk Web Framework
• Splunkbase
• splunkd
• SplunkJS Stack
• stack mode
• standalone search head
• stanza
• static captain
• streaming command
• subsearch
• summary index

T

• table dataset
• Table Editor
• table-chart drilldown
• tag
• target group
• threat match searches
• threat object
• throttle
• time accelerator
• time range picker

• time range window
• time series
• time-series index file
• timeline
• timeline view
• timestamp
• timezone offset
• token
• trace
• transaction

• transaction type
• transform
• transform field extraction
• transforming command
• transforming search
• tsidx file
• tsidx reduction
• tsidx retention policy
• typelearner

U

• universal forwarder
• upstream

• urgency
• user authentication

V

• valid

• view

• visualization

W