Skip to main content


Splunk Training + Certification

Advanced Searching and Reporting

QUICK LINKS   

My Training Profile | Splunk Education Student Handbook

Course Description

This 14.5-hour virtual course focuses on more advanced search and reporting commands. Scenario-based examples and hands-on challenges enable users to create robust searches, reports, and charts. Students are coached step by step through complex searches to produce final results. Major topics include optimizing searches, additional charting commands and functions, formatting and calculating results, correlating events, and using combined searches and subsearches.

As of Oct. 25, 2021, Splunk Education has replaced this course with the new Single-Subject Courses. Please refer to this page for more information on the new offerings. This course will continue to be offered by our Authorized Learning Partners (ALPs) only until approximately April 30, 2022. 

 
Download Course Description

Instructor-led Training Schedule
View Schedule
Instructor-on-demand

Registration for this course is no longer available.

Course Prerequisites

  • Splunk Fundamentals 1
  • Splunk Fundamentals 2
  • Splunk Fundamentals 3
  • Highly recommended: at least 6 months experience with the Splunk search language

Course Topics

  • Using Search Efficiently
  • More Search Tuning
  • Manipulating and Filtering Data
  • Working with Multivalue Fields
  • Using Advanced Transactions
  • Working with Time
  • Combining Searches
  • Using Subsearches

Course Objectives
 

Module 1 – Using Search Efficiently
  • Review search architecture
  • Understand how the components of a bucket (.tsidx and journal.gz files) are used
  • How bloom filters are used to improve search speed
  • Describe the parts of a search string
  • Understand the use of centralized vs. distributable commands
  • Create better searches
 
Module 2 – More Search Tuning
  • Understand how segmenters are used in Splunk
  • Use lispy to reduce the number of events read from disk
 
Module 3 – Manipulating and Filtering Data
  • Divide search results into different groups, based on values in a specified field, using the bin command
  • Regroup fields of search results using untable and xyseries
  • Create a template for performing additional processing on a set of related fields using foreach
 
Module 4 – Working with Multivalue Fields
  • Use multivalue eval functions to analyze and format data
  • Use the makemv command to convert a single value into a multivalue field
  • Use the mvexpand command to create separate events for each value in a multivalue field
 
Module 5 – Using Advanced Transactions
  • Find events logged before or after a particular event occurs
  • Compare complete vs. incomplete transactions
  • Analyze transactions
 
Module 6 – Working with Time
  • Use time modifiers
  • Search for events using custom time ranges and time windows
  • Display and use using relative dates
  • Use custom time ranges in multiple subsearches
 
Module 7 – Combining Searches
  • Use the append and appendcols commands (and know the differences)
  • Use join and union (and when not to use them)
 
Module 8 – Using Subsearches
  • Use subsearches to provide filtering and other information to a main search
  • Know when NOT to use subsearches
  • Troubleshoot subsearches
 
Module 9 – Some Extra Tips
  • Describe the use of regular expressions
  • Provide some guidance on using lookups
  • Provide miscellaneous optimization tips
WHY SPLUNK?
WHY SPLUNK?
SUPPORT
SUPPORT
RESOURCES
RESOURCES
FOR DEVELOPERS
FOR DEVELOPERS
COMPANY
COMPANY
SPLUNK SITES
SPLUNK SITES
Sitemap
Privacy
Website Terms of Use
Splunk Licensing Terms
Export Control
Modern Slavery Statement
Splunk Patents

© 2005 - 2022 Splunk Inc. All rights reserved.

Splunk, Splunk>, Turn Data Into Doing, and Data-to-Everything are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.