SO we got to this point, looking at the Fundamentals 2 section of my training. This training builds on the Fundamentals 1 course. Which is pretty much all tools you can use for searching and understanding data in Splunk
What is part fo Fundamentals 2:
Transforming commands and Visualizations
Filter/Format results of a Search
Correlate Events into Transactions
Knowledge Objects
Extracted Fields, Fields Aliases and Calculated Fields
Tags and Event Types
Macros and WorkFlow Objects
Manage Data Models
Splunk Common Information Model
Why this Blog Series
This information is created in order to understand better the content of the course. I use these blog posts to make sure I get more familiar with terms and information on the course. Feel free to take advantage of this information to help in any way to your own studies.
Recap on the Basics
Case Sensitivity: Sensitive
The following are Case Sensitive
Boolean Operators: AND, OR, NOT
Field Names
Field Values, only from Lookups
Regular Expressions
Eval and Where commands
Tags
Case Sensitivity: Insensitive
The following are not case sensitive
Command Names
Command Clauses
Search Terms
Statistical Functions
Field Values
Beyond the Basics
How does Splunk store the events as they come in from different sources? well, Splunk uses a concept called Buckets, which can be Hot Buckets: Data as it comes in from the Source. As Buckets age, Data is placed in Warm and Cold buckets. Each bucket has its own data, metadata and index files.
Time is the most efficient search filter, after time the most powerful keywords are host, source and sourcetypes. To make searches most efficient you can include as many terms as possible.
Use of Wildcards
Splunk only searches for whole words, but the use of Wildcards are allowed. Only trailing wildcards make the efficient use of indexes
General Search Practices
Inclusion is better than exclusion, Filter as earlier as possible in your search, removing duplicates as early in your search as possible. Using the appropriate search mode, pick between Verbose, Fast and Smart modes.
Transforming Commands
Massage the data into a data table, transforms specified cell values for each event into numerical values, which then you can use for statistical purposes. Some of the transforming commands are: top, rare, chart, time chart, stats, geostats
The Search job inspector
It Helps to look for the overall stats of a search, analyze how a search was processed, time spent. Use this to troubleshoot performance. Any existing search job can be inspected
What is next?
Visualizations
About the Author:
Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 15 years of experience, Andres is specialized in Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.