Search Under the Hood

Course structure

Topic 1 – Investigating Searches

• Use the Search Job Inspector to examine how a search was processed and troubleshoot performance
• Use SPL commenting to help identify and isolate problems

Topic 2 – Splunk Architecture

• Understand the role of search heads, indexers, and forwarders in a Splunk deployment
• Understand how the components of a bucket (.tsidx and journal.gz files) are used
• Understand how bloom filters are used to improve search speed

Topic 3 – Streaming and Non-Streaming Commands

• Describe the parts of a search string
• Understand the use of centralized vs. distributable commands
• Create more efficient searches

Topic 4 – Breakers and Segmentation

• Understand how segmenters are used in Splunk
• Use lispy to reduce the number of events read from disk

Topic 5 – Commands and Functions for Troubleshooting

• Using the fieldsummary command
• Using the makeresults command
• Using information functions with the eval command
  • the isnull function
  • the typeof function