Esquema Detallado del Curso
Module 1 – Using Search Efficiently
- Review search architecture
- Understand how the components of a bucket (.tsidx and journal.gz files) are used
- How bloom filters are used to improve search speed
- Describe the parts of a search string
- Understand the use of centralized vs. distributable commands
- Create better searches
Module 2 – More Search Tuning
- Understand how segmenters are used in Splunk
- Use lispy to reduce the number of events read from disk
Module 3 – Manipulating and Filtering Data
- Divide search results into different groups, based on values in a specified field, using the bin command
- Regroup fields of search results using untable and xyseries
- Create a template for performing additional processing on a set of related fields using for each
Module 4 – Working with Multivalue Fields
- Use multivalue eval functions to analyze and format data
- Use the makemv command to convert a single value into a multivalue field
- Use the mvexpand command to create separate events for each value in a multivalue field
Module 5 – Using Advanced Transactions
- Find events logged before or after a particular event occurs
- Compare complete vs. incomplete transactions
- Analyze transactions
Module 6 – Working with Time
- Use time modifiers
- Search for events using custom time ranges and time windows
- Display and use using relative dates
- Use custom time ranges in multiple subsearches
Module 7 – Combining Searches
- Use the append and appendcols commands (and know the differences)
- Use join and union (and when not to use them)
Module 8 – Using Subsearches
- Use subsearches to provide filtering and other information to a main search
- Know when NOT to use subsearches
- Troubleshoot subsearches
Module 9 – Some Extra Tips
- Describe the use of regular expressions
- Provide some guidance on using lookups
- Provide miscellaneous optimization tips