Search Under the Hood

 

Prerequisites

Recommended:

  • Intro to Splunk eLearning module

Course Objectives

  • Understanding Splunk architecture
  • Understanding how search terms are tokenized
  • Using streaming and non-streaming commands
  • Using troubleshooting commands and functions

Product Description

This eLearning module gives students additional insight into how Splunk processes searches. Students will learn about Splunk architecture, how components of a search are broken down and distributed across the pipeline, and how to troubleshoot searches when results are not returning as expected.

This module will take roughly three hours to complete.

This eLearning option is available with and without a lab option. If a student opts to take the option without a lab, the eLearning is free.

Outline

Topic 1 – Investigating Searches

  • Use the Search Job Inspector to examine how a search was processed and troubleshoot performance
  • Use SPL commenting to help identify and isolate problems

Topic 2 – Splunk Architecture

  • Understand the role of search heads, indexers, and forwarders in a Splunk deployment
  • Understand how the components of a bucket (.tsidx and journal.gz files) are used
  • Understand how bloom filters are used to improve search speed

Topic 3 – Streaming and Non-Streaming Commands

  • Describe the parts of a search string
  • Understand the use of centralized vs. distributable commands
  • Create more efficient searches

Topic 4 – Breakers and Segmentation

  • Understand how segmenters are used in Splunk
  • Use lispy to reduce the number of events read from disk

Topic 5 – Commands and Functions for Troubleshooting

  • Using the fieldsummary command
  • Using the makeresults command
  • Using information functions with the eval command
    • the isnull function
    • the typeof function
E-Learning

Price on request