Data Engineering • Room 1

Data Onboarding & Parsing

Effective security operations require the right data. Collecting everything is expensive; collecting too little is dangerous.

Data must be parsed correctly at the indexer or heavy forwarder. This involves creating proper `props.conf` and `transforms.conf` to handle line breaking, timestamps, and sourcetyping.

Dropping noisy Event IDs (like routine Windows auth chatter) at the Universal Forwarder using inputs.conf saves massive amounts of network bandwidth and Splunk license volume.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Drag items to their correct zone (or tap item then tap zone on mobile)

Define the data input and filter noise at the source

Configure line breaking and timestamp extraction

Route specific events to a different index or null queue

Store data based on retention policies

inputs.conf

props.conf

transforms.conf

indexes.conf