In this chapter, we have learned some techniques to manage the incoming data in your Splunk indexers; some basics on how to leverage those knowledge objects to enhance performance when searching; and the pros and cons of pre- and post-field extraction.

In the next chapter, we will discuss how to use these events and fields to create saved searches, reports, and alerts on the data ingested. I will also discuss some self-healing techniques within alerting, so you can begin automating some of your top workflows, such as restarting a hung service.