Splunk Series II: Fundamentals II

SO we got to this point, looking at the Fundamentals 2 section of my training. This training builds on the Fundamentals 1 course. Which is pretty much all tools you can use for searching and understanding data in Splunk

What is part fo Fundamentals 2:

Transforming commands and Visualizations
Filter/Format results of a Search
Correlate Events into Transactions
Knowledge Objects
Extracted Fields, Fields Aliases and Calculated Fields
Tags and Event Types
Macros and WorkFlow Objects
Manage Data Models
Splunk Common Information Model

Why this Blog Series

This information is created in order to understand better the content of the course. I use these blog posts to make sure I get more familiar with terms and information on the course. Feel free to take advantage of this information to help in any way to your own studies.

Recap on the Basics

Case Sensitivity: Sensitive

The following are Case Sensitive
Boolean Operators: AND, OR, NOT
Field Names
Field Values, only from Lookups
Regular Expressions
Eval and Where commands
Tags

Case Sensitivity: Insensitive

The following are not case sensitive
Command Names
Command Clauses
Search Terms
Statistical Functions
Field Values

Beyond the Basics

How does Splunk store the events as they come in from different sources? well, Splunk uses a concept called Buckets, which can be Hot Buckets: Data as it comes in from the Source. As Buckets age, Data is placed in Warm and Cold buckets. Each bucket has its own data, metadata and index files.

Time is the most efficient search filter, after time the most powerful keywords are host, source and sourcetypes. To make searches most efficient you can include as many terms as possible.

Use of Wildcards

Splunk only searches for whole words, but the use of Wildcards are allowed. Only trailing wildcards make the efficient use of indexes

General Search Practices

Inclusion is better than exclusion, Filter as earlier as possible in your search, removing duplicates as early in your search as possible. Using the appropriate search mode, pick between Verbose, Fast and Smart modes.

Transforming Commands

Massage the data into a data table, transforms specified cell values for each event into numerical values, which then you can use for statistical purposes. Some of the transforming commands are: top, rare, chart, time chart, stats, geostats

The Search job inspector

It Helps to look for the overall stats of a search, analyze how a search was processed, time spent. Use this to troubleshoot performance. Any existing search job can be inspected
UntitledImage

What is next?

Visualizations

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 15 years of experience, Andres is specialized in Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.