Prerequisites
Recommended:
- Intro to Splunk eLearning module
Course Objectives
- Understanding Splunk architecture
- Understanding how search terms are tokenized
- Using streaming and non-streaming commands
- Using troubleshooting commands and functions
Product Description
This eLearning module gives students additional insight into how Splunk processes searches. Students will learn about Splunk architecture, how components of a search are broken down and distributed across the pipeline, and how to troubleshoot searches when results are not returning as expected.
This module will take roughly three hours to complete.
This eLearning option is available with and without a lab option. If a student opts to take the option without a lab, the eLearning is free.
Outline
Topic 1 – Investigating Searches
- Use the Search Job Inspector to examine how a search was processed and troubleshoot performance
- Use SPL commenting to help identify and isolate problems
Topic 2 – Splunk Architecture
- Understand the role of search heads, indexers, and forwarders in a Splunk deployment
- Understand how the components of a bucket (.tsidx and journal.gz files) are used
- Understand how bloom filters are used to improve search speed
Topic 3 – Streaming and Non-Streaming Commands
- Describe the parts of a search string
- Understand the use of centralized vs. distributable commands
- Create more efficient searches
Topic 4 – Breakers and Segmentation
- Understand how segmenters are used in Splunk
- Use lispy to reduce the number of events read from disk
Topic 5 – Commands and Functions for Troubleshooting
- Using the fieldsummary command
- Using the makeresults command
- Using information functions with the eval command
- the isnull function
- the typeof function