Splunk Training + Certification
Advanced Searching and Reporting
The newest comprehensive resource from Splunk Training + Certification is here.
- Free Courses
-
Learning Paths
- Courses for Users
-
Courses for Splunk Administrators
- Courses for Splunk Administrators
- Splunk Fundamentals 1
- Splunk Fundamentals 2
- Splunk Enterprise System Administration
- Splunk Enterprise Data Administration
- Troubleshooting Splunk Enterprise
- Splunk Enterprise Cluster Administration
- Implementing Splunk SmartStore
- Splunk Workload Management
- Working with Metrics in Splunk
- Implementing Splunk Data Stream Processor (DSP)
- Courses for Splunk Cloud Customers
-
Courses for Splunk Architects
- Courses for Splunk Architects
- Splunk Fundamentals 1
- Splunk Fundamentals 2
- Creating Dashboards with Splunk
- Splunk Fundamentals 3
- Advanced Searching and Reporting
- Splunk Enterprise System Administration
- Splunk Enterprise Data Administration
- Troubleshooting Splunk Enterprise
- Splunk Enterprise Cluster Administration
- Architecting Splunk Enterprise Deployments
- Courses for App Developers
-
Courses for Enterprise Security Administrators
- Courses for Enterprise Security Administrators
- Splunk Fundamentals 1
- Splunk Fundamentals 2
- Creating Dashboards with Splunk
- Splunk Fundamentals 3
- Advanced Searching and Reporting
- Splunk Enterprise System Administration
- Splunk Enterprise Data Administration
- Architecting Splunk Enterprise Deployments
- Administering Splunk Enterprise Security
- Courses for Enterprise Security End-Users
-
Courses for IT Service Intelligence Administrators
- Courses for IT Service Intelligence Administrators
- Splunk Fundamentals 1
- Splunk Fundamentals 2
- Creating Dashboards with Splunk
- Splunk Fundamentals 3
- Advanced Searching and Reporting
- Splunk Enterprise System Administration
- Splunk Enterprise Data Administration
- Implementing Splunk IT Service Intelligence
- Courses for IT Service Intelligence End-Users
- Courses for Phantom Customers
-
Courses for Observability Customers
- Courses for Observability Customers
- Observability Fundamentals Series (eLearning)
- Using Splunk Infrastructure Monitoring
- Kubernetes Monitoring with Splunk
- Automation Using the REST and SignalFlow APIs
- Using the Splunk Terraform Provider
- Sending Custom Metrics to Splunk IM
- Using Splunk APM to Monitor Microservices-based Applications
- Advanced Monitoring of Microservices Applications Using Splunk APM
-
Certification Tracks
- Splunk Core Certified User
- Splunk Core Certified Power User
- Splunk Core Certified Advanced Power User
- Splunk Cloud Certified Admin
- Splunk Enterprise Certified Admin
-
Splunk Enterprise Certified Architect
- Splunk Enterprise Certified Architect
- Splunk Fundamentals 1
- Splunk Fundamentals 2
- Splunk Enterprise System Administration
- Splunk Enterprise Data Administration
- Troubleshooting Splunk Enterprise
- Splunk Enterprise Cluster Administration
- Architecting Splunk Enterprise Deployments
- Splunk Enterprise Practical Lab
- Splunk Certified Developer
- Splunk Enterprise Security Certified Admin
- Splunk IT Service Intelligence Certified Admin
-
Splunk Core Certified Consultant
- Splunk Core Certified Consultant
- Splunk Fundamentals 1
- Splunk Fundamentals 2
- Splunk Enterprise System Administration
- Splunk Enterprise Data Administration
- Architecting Splunk Enterprise Deployments
- Troubleshooting Splunk Enterprise
- Splunk Enterprise Cluster Administration
- Splunk Deployment Practical Lab
- Splunk Fundamentals 3
- Creating Dashboards with Splunk
- Advanced Searching and Reporting
- Core Consultant Labs
- Services Core Implementation
- Splunk Phantom Certified Admin
-
Courses
- Splunk Fundamentals 1
- Splunk Fundamentals 2
- Splunk Fundamentals 3
- Advanced Searching and Reporting
- Creating Dashboards with Splunk
- Advanced Dashboards and Visualizations
- Building Splunk Apps
- Splunk for Analytics and Data Science
- Splunk Infrastructure Overview
- Splunk Enterprise System Administration
- Splunk Enterprise Data Administration
- Troubleshooting Splunk Enterprise
- Splunk Enterprise Cluster Administration
- Splunk Cloud Administration
- Transitioning to Splunk Cloud
- Architecting Splunk Enterprise Deployments
- Working with Metrics in Splunk
- Implementing Splunk SmartStore
- Splunk Workload Management
- Splunk Deployment Practical Lab
- Implementing Splunk Data Stream Processor (DSP)
- Developing with Splunk's REST API
- Administering Splunk Enterprise Security
- Using Splunk Enterprise Security
- Implementing Splunk IT Service Intelligence
- Using Splunk IT Service Intelligence
- Splunk User Behavior Analytics
- Administering Phantom
- Developing Phantom Playbooks
- Advanced Phantom Implementation
- Introduction to Splunk IM and Splunk APM
- Using Splunk Infrastructure Monitoring
- Kubernetes Monitoring with Splunk
- Using Splunk APM to Monitor Microservices-based Applications
- Automation Using the REST and SignalFlow APIs
- Using the Splunk Terraform Provider
- Sending Custom Metrics to Splunk IM
- Advanced Monitoring of Microservices Applications Using Splunk APM
- Services Core Implementation
- Core Consultant Labs
- IT Essentials Learn - Walkthrough
- Implementing the Splunk App for Infrastructure (SAI)
- Responding to Incidents with Splunk On-Call
- Splunk On-Call Administration
- Using Splunk Real User Monitoring
-
Videos
- All Videos
- Splunk Cloud Tutorial
- Installing Splunk Enterprise on Linux
- Installing Splunk Enterprise on Windows
- Getting Data In to Splunk Enterprise (Linux)
- Getting Data In (Windows)
- Getting Data In with Forwarders
- Basic Search in Splunk Enterprise
- Create a Dashboard in Splunk Enterprise
- Splunk Certification Candidate Journey
- Creating Alerts in Splunk Enterprise
-
- Program Guide + FAQ
- Download Fact Sheet
Course Description
This 3 virtual-day course focuses on more advanced search and reporting commands. Scenario-based examples and hands-on challenges enable users to create robust searches, reports, and charts. Students are coached step by step through complex searches to produce final results. Major topics include optimizing searches, additional charting commands and functions, formatting and calculating results, correlating events, and using combined searches and subsearches.
Instructor-led Training Schedule
Course Prerequisites
- Splunk Fundamentals 1
- Splunk Fundamentals 2
- Splunk Fundamentals 3
- Highly recommended: at least 6 months experience with the Splunk search language
Course Topics
- Using Search Efficiently
- More Search Tuning
- Manipulating and Filtering Data
- Working with Multivalue Fields
- Using Advanced Transactions
- Working with Time
- Combining Searches
- Using Subsearches
Course Objectives
Module 1 – Using Search Efficiently
- Review search architecture
- Understand how the components of a bucket (.tsidx an djournal.gz files) are used
- How bloom filters are used to improve search speed
- Describe the parts of a search string
- Understand the use of centralized vs. distributable commands
- Create better searches
Module 2 – More Search Tuning
- Understand how segmenters are used in Splunk
- Use lispy to reduce the number of events read from disk
Module 3 – Manipulating and Filtering Data
- Divide search results into different groups, based on values in a specified field, using the bin command
- Regroup fields of search results using untable and xyseries
- Create a template for performing additional processing on a set of related fields using foreach
Module 4 – Working with Multivalue Fields
- Use multivalue eval functions to analyze and format data
- Use the makemv command to convert a single value into a multivalue field
- Use the mvexpand command to create separate events for each value in a multivalue field
Module 5 – Using Advanced Transactions
- Find events logged before or after a particular event occurs
- Compare complete vs. incomplete transactions
- Analyze transactions
Module 6 – Working with Time
- Use time modifiers
- Search for events using custom time ranges and time windows
- Display and use using relative dates
- Use custom time ranges in multiple subsearches
Module 7 – Combining Searches
- Use the append and appendcols commands (and know the differences)
- Use join and union (and when not to use them)
Module 8 – Using Subsearches
- Use subsearches to provide filtering and other information to a main search
- Know when NOT to use subsearches
- Troubleshoot subsearches
Module 9 – Some Extra Tips
- Describe the use of regular expressions
- Provide some guidance on using lookups
- Provide miscellaneous optimization tips
