Search Under the Hood

This course is for students to gain additional insight into how Splunk processes searches.

The course will teach students about Splunk architecture, how components of a search are broken down and distributed across the pipeline, and how to troubleshoot searches when results are not returning as expected.

This eLearning option is available with and without a lab option. If a student opts to take the option without a lab, the eLearning is free.

• Users/Analysts

To be successful, students must have completed these Splunk Education course(s) or have equivalent working knowledge:

• Intro to Splunk eLearning course (recommended)

Module 1 – Investigating Searches

• Use the Search Job Inspector to examine how a search was processed and troubleshoot performance
• Use SPL commenting to help identify and isolate problems

Module 2 – Splunk Architecture

• Understand the role of search heads, indexers, and forwarders in a Splunk deployment
• Understand how the components of a bucket (.tsidx and journal.gz files) are used
• Understand how bloom filters are used to improve search speed

Module 3 – Streaming and Non-Streaming Commands

• Describe the parts of a search string
• Understand the use of centralized vs. distributable commands
• Create more efficient searches

Module 4 – Breakers and Segmentation

• Understand how segmenters are used in Splunk
• Use lispy to reduce the number of events read from disk

Module 5 – Commands and Functions for Troubleshooting

• Using the fieldsummary command
• Using the makeresults command
• Using information functions with the eval command
  • the isnull function
  • the typeof function