Splunk uses default fields along with the individual event's raw data to correlate and identify common elements in the data on the fly at search time. This means there is no fixed schema, which makes searching with Splunk fast, easy, and flexible.
Things to know
You can use forwarders to get data in, and you can use Splunk apps to get data in. Forwarders get data from remote machines and prepare it for indexing, for example, compressing data, buffering, and adding source, sourcetype, and host metadata. Universal forwarders do not parse data before forwarding it, and is the best way to forward data to indexers. Heavy forwarders parse data before forwarding it, and route data based on event contents.
At the indexer, Splunk breaks data into individual events (event line breaking), and identifies the basic attributes of each event in the form of default fields, then stores the events for searching. Splunk generates these default fields for each event that identify and describe the event's origin:
Timestamp: Splunk uses timestamps to correlate events by time, to create the timeline histogram in Splunk Web, and to set time ranges for searches.
Host: The hostname or IP address of the machine that generated the data.
Source: The originating location of the data, for example, the path name of the file or directory being monitored for data, or the protocol and port.
Source type: A way to identify and group events with similar attributes regardless of where they came from. Like apache web logs - they might come from many different machines with many different log locations, but the fields in the data are essentially the same. You can use a source type to refer to them all.
Things to do
Get data in! Follow the high-level procedure to get started with getting data in. Evaluate your data sources, create a test index, and add a few inputs. Monitor a file or a directory to get some data into Splunk. You can practice using the Splunk Search Tutorial.
Ingest remote data. Install a universal forwarder to get data from other systems into Splunk.
Accelerate your implementation. Explore apps and add-ons created by Splunk and users like you on Splunkbase. Apps and add-ons enable you to get data in faster and easier.
The following video demonstrates how to get data into the Linux version of Splunk Enterprise.
The following video demonstrates how to get data into the Windows version of Splunk Enterprise.