Solved: Is there any case where Splunk can perform parsing...

SplunkExplorer · ‎11-04-2022

Hi Splunkers,

I have a doubt about the Splunk parsing capacity.

Until now, every time I needed to parse data, I used add-on, both custome wrote by me and downloaded from Splunk base. If I remeber well, but correct me if I'm wrong, an add-on is not required (or may be not required) if we have a well structured data format, like JSON or XML .

My question is: if the above assumption is right, are there any other case where Splunk can perform parsing without an add-on help? And if yes, what are they?

richgalloway · ‎11-04-2022

Just because the data is well-formed doesn't mean Splunk knows what to do with it. Add-ons tell Splunk how to process data. This saves Splunk from guessing incorrectly and speeds onboarding.

The one format Splunk will parse out-of-the-box is key=value. Even then, an add-on is recommended.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎11-04-2022

Just because the data is well-formed doesn't mean Splunk knows what to do with it. Add-ons tell Splunk how to process data. This saves Splunk from guessing incorrectly and speeds onboarding.

The one format Splunk will parse out-of-the-box is key=value. Even then, an add-on is recommended.

---
If this reply helps you, Karma would be appreciated.

Is there any case where Splunk can perform parsing without an add-on help?

configuration

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!