Log
A record of activity generated by a system, application, device, or service. Logs are the raw material for search and analysis.
Vocabulary first
A shared language for both tracks.
The gap between confused beginners and confident learners is often vocabulary. This glossary explains platform and security terms in practical language first, then points toward the more technical meaning you will encounter in documentation and labs.
Core data terms
The concepts that show up almost everywhere
Event
A single item inside the data stream. One login attempt or one web request can be one event.
Field
A named value extracted from an event, such as username, IP address, status code, or host. Good fields make searches useful.
Index
A logical storage location used to organize searchable data. Index design affects retention, search scope, and operations.
Source
Where the data came from, often a file path, stream, or feed identifier.
Sourcetype
The data format or category assigned to incoming events. Good sourcetype discipline helps parsing, field extraction, and search quality.
Host
The system associated with the event data. Depending on context, this might be a server, workstation, or device name.
Time range
The slice of time you search. Many confusing results come from incorrect or inconsistent time windows.
Search and analysis
The language of investigating data
SPL
Search Processing Language, the search language used in Splunk. It includes commands, filtering, transformation, and reporting logic.
Search
A query that filters or transforms data to answer a specific question. Good searches are narrow, testable, and interpretable.
Stats
A common SPL command used to count, sum, group, and summarize fields.
Timechart
A command used to trend values over time, useful for spikes, drops, seasonality, and alert review.
Regex
Pattern matching used for extraction and filtering. It is powerful but easy to overuse badly.
Lookup
A reference table used to enrich events with extra context such as asset owner, geo data, or business unit.
Knowledge object
A saved artifact such as a field extraction, lookup, tag, event type, report, macro, or workflow action that helps organize repeated analysis.
Dashboard
A structured view of searches and visualizations designed to answer recurring questions quickly.
Security operations
The words analysts keep using
Alert
An automated signal triggered when a search condition is met. The best alerts are actionable and not constantly noisy.
Detection
Logic designed to identify suspicious or important behavior. A detection should include context, expected behavior, and false-positive thinking.
Triage
The early evaluation of whether a signal matters, how urgent it is, and what to investigate next.
IOC
Indicator of compromise, such as a malicious IP, domain, hash, or artifact associated with hostile activity.
False positive
An alert that looks bad but is not actually harmful. Reducing false positives is part of real detection engineering.
Correlation
Combining multiple signals to form a stronger picture than any single event provides by itself.
SOC
Security Operations Center, the team or function responsible for monitoring and responding to security events.
Use case
A specific business, operational, or security problem you want the platform to help solve.
Platform operations
Terms that matter as you get more hands-on
Forwarder
A lightweight agent used to send data from systems into the platform.
Retention
How long data is kept. Retention affects cost, compliance, historical visibility, and investigation depth.
Role
A set of permissions defining what a user can do, see, or manage.
App
A package of configurations, dashboards, searches, and objects that groups related functionality.
Acceleration
Performance optimization used in some data models or searches to make repeated analysis faster.
Normalization
Making data from different sources comparable by aligning field names and structures.