How indexing works
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
How indexing works
Splunk can index any type of time-series data (data with timestamps). When Splunk indexes data, it breaks it into events, based on its timestamps.
Event processing
Event processing occurs in two stages, parsing and indexing. All data that comes into Splunk enters through the parsing pipeline as large (10,000 bytes) chunks. During parsing, Splunk breaks these chunks into events which it hands off to the indexing pipeline, where final processing occurs.
While parsing, Splunk performs a number of actions, including:
- Extracting sets of default fields for each event, including
host,source, andsourcetype. - Configuring character set encoding.
- Identifying line termination using linebreaking rules. While many events are short and only take up a line or two, others can be long.
- Identifying timestamps or creating them if they don't exist. At the same time that it processes timestamps, Splunk identifies event boundaries.
- Splunk can be set up to mask sensitive event data (such as credit card or social security numbers) during the indexing process. It can also be configured to apply custom metadata to incoming events.
In the indexing pipeline, Splunk performs additional processing, including:
- Breaking all events into segments that can then be searched upon. You can determine the level of segmentation, which affects indexing and searching speed, search capability, and efficiency of disk compression.
- Building the index data structures.
- Writing the raw data and index files to disk, where post-indexing compression occurs.
The breakdown between parsing and indexing pipelines is mainly of relevance for forwarders, which can parse, but not index, data.
For more information about events and what happens to them during the indexing process, see Overview of event processing in this manual.
Note: Indexing is an I/O-intensive process.
This diagram shows the main processes inherent in indexing:
What's in an index?
Splunk stores all of the data it processes in indexes. An index is a collection of databases, which are directories located in $SPLUNK_HOME/var/lib/splunk. A database directory is named db_<starttime>_<endtime>_<seq_num>.
Splunk comes with the following preconfigured indexes:
- main: This is the default Splunk index. All processed data is stored here unless otherwise specified.
- _internal: Stores Splunk internal logs and processing metrics.
- sampledata: A small amount of sample data is stored here for training purposes.
- _audit: Contains events related to the file system change monitor, auditing, and all user search history.
A Splunk administrator can create new indexes, edit index properties, remove unwanted indexes, and relocate existing indexes. Splunk administrators manage indexes through Splunk Manager, the CLI, and configuration files such as indexes.conf. For more information, See Managing indexes in this manual.
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around indexing.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.