Well, I am new to Splunk, but I have been working on other SIEM tools like RSA SA and QRadar. I just started to learn about Splunk.
Well I want to know about Splunk indexers and how indexing happens here?
Actually I have studied that Splunk doesn't need any parser or connector, so what I am not getting is, if there is no parser, then how is indexing happening? In all other tools, indexing is totally based on a parser. If a parser for a specific device is not available, then all logs from that device will come under unknown device.
Maybe my question looks a bit stupid. Sorry for that, but I really want to know how indexers works and how it identifies devices and applications without any parser for that..
Hope you understand my query, waiting for an answer...