Splunk Search Expert Fast Start

Course Duration

3 Days

Audience

Employees of federal, state and local governments; and businesses working with the government.

Prerequisites

Completion of Splunk Advanced Power User Fast Start (SP-APU-FT) or equivalent. Students should hold or be prepared to sit for the Splunk Core Certified Advanced Power User certification.

Course Description

This 3-day Fast Start prepares students to be Splunk search experts. Building on Power User and Advanced Power User skills, students learn to write highly optimized searches, use advanced SPL techniques, apply search best practices for large-scale deployments, and leverage Splunk's full search processing language to extract maximum value from Splunk data.

Learning Objectives

• Construct advanced searches using the full breadth of Splunk SPL
• Apply search optimization techniques to improve performance at scale
• Use advanced transforming commands for complex data analysis
• Implement accelerated data models and tstats-based searches
• Create efficient correlation searches across multiple data sources
• Debug and troubleshoot complex search queries

Course Outline

Working with Time

• Searching with time
• Formatting time
• Comparing index time versus search time
• Using time commands
• Working with time zones

Statistical Processing

• Transforming data
• Manipulating data with eval
• Statistical eval functions
• Multivalue fields and functions

Search Optimization

• Search job inspector
• Search performance best practices
• Accelerating data models
• Using tstats

Correlation Analysis

• Co-occurrence analysis
• Analyzing multiple datasets
• Advanced join and append techniques

Advanced Knowledge Objects

• Field extractions
• Lookups and lookup transforms
• Data models
• Calculated fields

Frequently Asked Questions