Overview
This is a free e-learning module that is part of multiple learning paths. This module should be consumed in the sequence recommended in the corresponding learning paths.
Prerequisites
Recommended:
- Intro to Splunk eLearning module
Course Objectives
- Understanding Splunk architecture
- Understanding how search terms are tokenized
- Using streaming and non-streaming commands
- Using troubleshooting commands and functions
Product Description
This eLearning module gives students additional insight into how Splunk processes searches. Students will learn about Splunk architecture, how components of a search are broken down and distributed across the pipeline, and how to troubleshoot searches when results are not returning as expected.
Outline
Topic 1 – Investigating Searches
- Use the Search Job Inspector to examine how a search was processed and troubleshoot performance
- Use SPL commenting to help identify and isolate problems
Topic 2 – Splunk Architecture
- Understand the role of search heads, indexers, and forwarders in a Splunk deployment
- Understand how the components of a bucket (.tsidx and journal.gz files) are used
- Understand how bloom filters are used to improve search speed
Topic 3 – Streaming and Non-Streaming Commands
- Describe the parts of a search string
- Understand the use of centralized vs. distributable commands
- Create more efficient searches
Topic 4 – Breakers and Segmentation
- Understand how segmenters are used in Splunk
- Use lispy to reduce the number of events read from disk
Topic 5 – Commands and Functions for Troubleshooting
- Using the fieldsummary command
- Using the makeresults command
- Using information functions with the eval command
- the isnull function
- the typeof function