Splunk 101: Basic Search

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] and welcome to today's video i'm your host mike mims i'm with kenny group i'm also a splunk certified admin and i'm excited to give you guys some tips and tricks on best practices when searching in splunk without further ado let's get into it so disclaimer right off the bat i'm going to be searching in all time here and this is definitely not a best practice when searching in splunk this tells splunk to retrieve the data all the way back to when it first got ingested up to the present moment and if you're in the beginning if you're in a big environment this could really bring things to a screeching halt really fast so it's best practice to specify what index you would like splunk to go look into and also the time range picker plays a big factor as well you want to if you're looking for maybe say failed login attempts and it happened at a particular time period you want to go and let splunk know that so that way splunk only retrieves data from that time frame so if it happened in the last 15 minutes let's just search splunk for the last 15 minutes and retrieve that data and you should have your answer with that data that splunk retrieves back there so right here we're going to go ahead and run this search here so index equals main letting splunk know that we want us we want to search the main index for the data that we're interested in and i want to show you just how long this one takes even if you do specify just one index right so we go into the job inspector and hit the inspect job here and we can see that this search job took 15 seconds to run and this is just searching just one index and you can see that splunk brought back over 280 possibly 300 fields associated with this with this index that's quite a bit of data so what you want to do is help splunk get even granular about what data you're actually searching for and this can be accomplished maybe by a particular host say maybe it's a windows machine or a source type maybe a particular source of data that's coming in or excuse me source or maybe a source type and here we're going to be telling splunk what's so what source type we're actually interested in and we're going to see how much faster splunk is able to retrieve all the data associated with that one source type that lies within the main index here and another thing i want to bring to your attention is splunk's search modes so splunk comes out of the box with three search modes you have your fast mode smart mode and verbose mode and by fast mode this is obviously the fastest of the three retrieving your events with lightning fast speed but this one you sacrifice some completeness with this mode so kind of use ex use it you know sparingly smart mode is that happy medium between fast and verbose so it does give you some completeness while also giving you or at least is faster than verbose mode and then verbose mode is the thorough check of all the data very complete and it also brings back statistics and events if you're running a transforming command with your spl and i can show you that guys and i can show you show you guys that later as well to give you an example of that but back to this example here so now we specified the source type the index and the source type associated with the data that we're looking for so you can see that splunk has now brought back 130 000 events versus the near you know 300 000 events and we've cut it now down to 10 seconds so really good compared to the 15 seconds that we were we were currently facing here right so this is this is the beginning of how you want to start building your search your searching skills here now one thing i want to make you guys aware of that splunk does allow wild cards and this is something that you also want to use sparingly as well only use this when you absolutely have to because right here this search criteria is telling splunk to search all of my indexes and again if you're in a large environment this can take a very very long time to complete and it's something that you want to avoid at all costs okay especially in a production environment now another thing that i hit on was the amount of fields that came back right so the search with just the index equals main brought back roughly 300 or so fields now we specif specified the source type and we've and we only see nine more fields associated with the interesting fields here okay so one thing that we can do to help splunk out is again get even um granular here by letting splunk know what fields we're actually interested in so we're going to do the pipe fields command and let's say we're only interested in the action field down here right down here and let's choose the the j session id as well so we're gonna do these two fields right here and look splunk only brought back data that was associated with these two fields and if we go into the job inspector and look at this job it only took three seconds to run versus the 10 seconds so again getting granular about what we're actually looking for in the splunk environment okay so right now i want to show you guys what a transform command looks like and the search modes as well so if we added in the stats count by action okay so like i mentioned if you ran this in verbose mode with the transforming command here you're going to be able to see your statistics on this tab and you can go ahead and switch back to the events as well and look through here if you run a transforming command in the fast mode you're just going to see in this particular case since we have a transforming command in there now your statistics you're not going to be able to access your events and you switch to smart mode same thing here you're going to have to switch to verbose mode in order to see both of these okay i just want to show you guys that and here is another technique to use when searching your data in splunk here i'm going to show you this table right here so i threw this through the j session id field into a table so as you can see we have a table 20 pages all right per per page here or 20 rows per page here and there's a lot of these right now if you're only interested in let's say the top 20 here we run this command and splunk has a lot better time retrieving just this small amount of data right here so this data set instead of the numerous other um values those field values with this with this table right here so again to sum this all up be specific know what data you're looking for and also be cognizant of your time range picker when it comes to your searching all right that takes care of this video for today everyone i appreciate everyone's time everyone joining here i hope you enjoyed it take care
Info
Channel: Kinney Group
Views: 10,002
Rating: undefined out of 5
Keywords: Splunk, tutorial, basic search
Id: S0JBOhBc-yU
Channel Id: undefined
Length: 9min 4sec (544 seconds)
Published: Mon Aug 03 2020
Related Videos
Splunk Training | Introduction to Splunk | Intellipaat
Intellipaat
43K
Splunk 101: Basic Reporting and Dashboarding
Kinney Group
2.9K
Basic Searching in Splunk
Splunk How-To
208K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Splunk Security Investigations, Part 1: Threat Detection
Splunk
117K
Splunk Tutorial for Beginners | Splunk Training for Beginners | Intellipaat
Intellipaat
113K
Log Analysis with Splunk | How to use Splunk to analyse a Real time Log | Splunk Use Cases | Edureka
edureka!
15K
Using Regular Expression in Splunk
Shahria Mahbub
8.7K
Full Course.Splunk Search and Reporting. All You Need To Know. Zero To Expert.
Splunking With Praveen
1K
Using Lookups in Splunk
Hailie Shaw
382
Splunk search language syntax | splunk tutorial
DWBIADDA VIDEOS
7.8K
Splunk Enterprise Security Training | Splunk Security Training | Intelllipaat
Intellipaat
20K
An Introduction to Splunk Dashboard Tokens
Set Solutions
1.4K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.