Search Under the Hood

Overview

This is a free e-learning module that is part of multiple learning paths. This module should be consumed in the sequence recommended in the corresponding learning paths.

 

Prerequisites

Recommended:

  • Intro to Splunk eLearning module

Course Objectives

  • Understanding Splunk architecture
  • Understanding how search terms are tokenized
  • Using streaming and non-streaming commands
  • Using troubleshooting commands and functions

Product Description

This eLearning module gives students additional insight into how Splunk processes searches. Students will learn about Splunk architecture, how components of a search are broken down and distributed across the pipeline, and how to troubleshoot searches when results are not returning as expected.

Outline

Topic 1 – Investigating Searches

  • Use the Search Job Inspector to examine how a search was processed and troubleshoot performance
  • Use SPL commenting to help identify and isolate problems

Topic 2 – Splunk Architecture

  • Understand the role of search heads, indexers, and forwarders in a Splunk deployment
  • Understand how the components of a bucket (.tsidx and journal.gz files) are used
  • Understand how bloom filters are used to improve search speed

Topic 3 – Streaming and Non-Streaming Commands

  • Describe the parts of a search string
  • Understand the use of centralized vs. distributable commands
  • Create more efficient searches

Topic 4 – Breakers and Segmentation

  • Understand how segmenters are used in Splunk
  • Use lispy to reduce the number of events read from disk

Topic 5 – Commands and Functions for Troubleshooting

  • Using the fieldsummary command
  • Using the makeresults command
  • Using information functions with the eval command
    • the isnull function
    • the typeof function

Price on request