Search Under the Hood

This course is for students to gain additional insight into how Splunk processes searches.

The course will teach students about Splunk architecture, how components of a search are broken down and distributed across the pipeline, and how to troubleshoot searches when results are not returning as expected.

Course Topics

  • Investigating Searches
  • Splunk Architecture
  • Streaming and Non-Streaming Commands
  • Breakers and Segmentation
  • Commands and Functions for Troubleshooting

Prerequisite

To be successful, students must have completed these Splunk Education course(s) or have equivalent working knowledge:

  • Intro to Splunk eLearning course (recommended)

Instructor-led Duration

  • 3 Hours

Course Format

  • Instructor-led
  • Self-paced eLearning

Audience

  • Users/Analysts

Course Objective

Topic 1

Investigating Searches

  • Use the Search Job Inspector to examine how a search was processed and troubleshoot performance
  • Use SPL commenting to help identify and isolate problems

Topic 2

Splunk Architecture

  • Understand the role of search heads, indexers, and forwarders in a Splunk deployment
  • Understand how the components of a bucket (.tsidx and journal.gz files) are used
  • Understand how bloom filters are used to improve search speed

Topic 3

Streaming and Non-Streaming Commands

  • Describe the parts of a search string
  • Understand the use of centralized vs. distributable commands
  • Create more efficient searches

Topic 4

Breakers and Segmentation

  • Understand how segmenters are used in Splunk
  • Use lispy to reduce the number of events read from disk

Topic 5

Commands and Functions for Troubleshooting

  • Using the fieldsummary command
  • Using the makeresults command
  • Using informational functions with the eval commands
  1. the isnull function
  2. the typeof function

Secure Your Spot Today