Advanced Searching and Reporting with Splunk 8.0.1
Upcoming Classes
Online
Instructor-led online training
Summary
This 13 hour course supplements the Splunk Fundamentals 3 class. It focuses on more advanced search and reporting commands. Scenario-based examples and hands-on challenges enable users to create robust searches, reports, and charts. Students are coached step by step through complex searches to produce final results. Major topics include optimizing searches, additional charting commands and functions, formatting and calculating results, correlating events, and using combined searches and subsearches.
Description
- Using Search Efficiently
- More Search Tuning
- Manipulating and Filtering Data
- Working with Multivalue Fields
- Using Advanced Transactions
- Working with Time
- Using Subsearches
- Combining Searches
- Some Extra tips
Objectives
Module 1 – Using Search Efficiently
- Review search architecture
- Understand how the components of a bucket (.tsidx an djournal.gz files) are used
- How bloom filters are used to improve search speed
- Understand the use of centralized vs. distributable commands
Module 2 – More Search Tuning
- Understand how segmenters are used in Splunk
- Use lispy to reduce the number of events read from disk
- Use TERM directive to force Splunk to search for complete values
- Understand how search-time and aliased fields affect disk reads
Module 3 – Manipulating Data
- Divide search results into different groups, based on values in a specified field, using the bin command
- Regroup fields of search results using untable and xyseries
- Create a template for performing additional processing on a set of related fields using foreach
Module 4 – Working with Multivalue Fields
- Use multivalue eval functions to analyze and format data
- Use the makemv command to convert a single value into a multivalue field
- Use the mvexpand command to create separate events for each value in a multivalue field
Module 5 – Using Advanced Transactions
- Find events logged before or after a particular event occurs
- Compare complete vs. incomplete transactions
- Analyze transactions
Module 6 – Working with Time
- Use time modifiers
- Visualize data from two different time periods in one search
- Search for events using custom time ranges and time windows
- Display and use using relative dates
Module 7 – Using Subsearches
- Use subsearches to provide filtering and other information to a main search
- Know when NOT to use subsearches
- Troubleshoot subsearches
Module 8 – Combining Searches
- Use the append and appendcols commands (and know the differences)
- Use join and union (and when not to use them)
Module 9 – Some Extra Tips
Public Training
AMER Eastern Time - Virtual
-
$ 1500.00 USD -
$ 1500.00 USD
-
$ 1500.00 USD
-
$ 1500.00 USD
-
$ 1500.00 USD
-
$ 1500.00 USD
-
$ 1500.00 USD
AMER Pacific Time - Virtual
-
$ 1500.00 USD
-
$ 1500.00 USD
-
$ 1500.00 USD
-
$ 1500.00 USD
-
$ 1500.00 USD
EMEA UK Time - Virtual
-
$ 1500.00 USD
-
$ 1500.00 USD
-
$ 1500.00 USD
-
$ 1500.00 USD
-
$ 1500.00 USD
-
$ 1500.00 USD
Ingeniq
-
9:00 AM - 1:30 PM AEST$ 2160.00 AUD
APAC Singapore - Virtual
-
$ 1500.00 USD
-
$ 1500.00 USD
-
$ 1500.00 USD
Don't see a date that works for you?