Input Phase: Data is collected and input.
Parsing Phase: Data is parsed, which includes breaking it into events and defining event boundaries.
Indexing Phase: Parsed events are written to disk (index).
Search Phase: Indexed data is searched and analyzed.
1. Input phase: Handled at the source (usually a forwarder)
– The data sources are being opened and read
– Data is handled as streams; configuration settings are applied to the entire stream
2. Parsing phase: Handled by indexers (or heavy forwarders)
– Data is broken up into events and advanced processing can be performed
3. Indexing phase: Handled by indexers
– License meter runs as data is initially written to disk, prior to compression
– After data is written to disk, it cannot be changed
Parsing phase respects LINE_BREAKER, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings in props.conf
upvoted 2 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
NastyNutsu
1 month agoHNaka
7 months agocb42
1 year, 8 months ago