Advanced Searching and Reporting

Course Objectives
 

Module 1 – Using Search Efficiently

• Review search architecture
  
• Understand how the components of a bucket (.tsidx and journal.gz files) are used
• How bloom filters are used to improve search speed
  
• Describe the parts of a search string
  
• Understand the use of centralized vs. distributable commands
  
• Create better searches

Module 2 – More Search Tuning

• Understand how segmenters are used in Splunk
  
• Use lispy to reduce the number of events read from disk

Module 3 – Manipulating and Filtering Data

• Divide search results into different groups, based on values in a specified field, using the bin command
• Regroup fields of search results using untable and xyseries
  
• Create a template for performing additional processing on a set of related fields using foreach

Module 4 – Working with Multivalue Fields

• Use multivalue eval functions to analyze and format data
  
• Use the makemv command to convert a single value into a multivalue field
  
• Use the mvexpand command to create separate events for each value in a multivalue field

Module 5 – Using Advanced Transactions

• Find events logged before or after a particular event occurs
  
• Compare complete vs. incomplete transactions
  
• Analyze transactions

Module 6 – Working with Time

• Use time modifiers
  
• Search for events using custom time ranges and time windows
  
• Display and use using relative dates
  
• Use custom time ranges in multiple subsearches

Module 7 – Combining Searches

• Use the append and appendcols commands (and know the differences)
  
• Use join and union (and when not to use them)

Module 8 – Using Subsearches

• Use subsearches to provide filtering and other information to a main search
  
• Know when NOT to use subsearches
  
• Troubleshoot subsearches

Module 9 – Some Extra Tips

• Describe the use of regular expressions
  
• Provide some guidance on using lookups
  
• Provide miscellaneous optimization tips