Search Under the Hood

• Users/Analysts

To be successful, students must have completed these Splunk Education course(s) or have equivalent working knowledge:

• Intro to Splunk eLearning course (recommended)

This course is for students to gain additional insight into how Splunk processes searches.

The course will teach students about Splunk architecture, how components of a search are broken down and distributed across the pipeline, and how to troubleshoot searches when results are not returning as expected.

This eLearning option is available with and without a lab option. If a student opts to take the option without a lab, the eLearning is free.

Module 1 – Investigating Searches

• Use the Search Job Inspector to examine how a search was processed and troubleshoot performance
• Use SPL commenting to help identify and isolate problems

Module 2 – Splunk Architecture

• Understand the role of search heads, indexers, and forwarders in a Splunk deployment
• Understand how the components of a bucket (.tsidx and journal.gz files) are used
• Understand how bloom filters are used to improve search speed

Module 3 – Streaming and Non-Streaming Commands

• Describe the parts of a search string
• Understand the use of centralized vs. distributable commands
• Create more efficient searches

Module 4 – Breakers and Segmentation

• Understand how segmenters are used in Splunk
• Use lispy to reduce the number of events read from disk

Module 5 – Commands and Functions for Troubleshooting

• Using the fieldsummary command
• Using the makeresults command
• Using information functions with the eval command
  • the isnull function
  • the typeof function