In order to use Splunk in your infrastructure, you must understand how Splunk performs on the internal level. In general, Splunk processes DATA in three stages:

• Data Input Stage: This stage involves Splunk consuming raw data not from a single, but from many sources, breaking it up into 64K BLOCKS, and annotating each block with metadata KEYS. A metadata key INCLUDES the hostname, source, and source type of the data.
• Data Storage Stage: In this stage, two different phases are performed, Parsing and Indexing.
  • In the Parsing phase, Splunk analyzes the data, transforms it, and extracts only the relevant information. This is also called "event processing," SINCE it breaks down the data sets into different events.
  • During the indexing phase, Splunk software writes the parsed events into the index queue. One of the main benefits of using this is to make sure the data is easily accessible for anyone during the search.
• Data Searching Stage: This stage usually controls how the index data is accessed, viewed, and used by the user. Reports, event types, dashboards, visualization, alerts, and other knowledge objects can be created based on the user's reporting requirements.