Splunk Search

Need more training with Searching

Ab_Splunk
Engager

Good Afternoon, 

So I've recently been hired on as a Splunk admin/analyst.  The scope of my job really relies on my being able to know how to look things up in the search box.  I really need to get proficient in knowing how to search for things after loading my data/files.    

So my question is this- Where can I go to get some more hands on practice to better my SPL (Splunk search) skills.  

 

Thank you,

 

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

I assuming you have some Splunk knowledge if you have been hired as a Splunk admin/analyst...

Other than formal, paid for training, the Splunk Answers community has a good repository of knowledge in its answers. The Splunk Slack usergroup also has a 'search-help' channel

https://splunk-usergroups.slack.com/archives/CD8B6F65Q

As you are likely to have real data to play with, probably a good way to go is to ask yourself some questions about what you would like to find out from that data and how you would like to visualise it and set about solving those examples.

Some basic things to start with

Arm yourself with the list of commands you have available

https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/ListOfSearchCommands

Know that you will need to know about regular expressions to use the 'rex' command

http://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Rex

The eval command is a Swiss Army knife and you will almost always use it for something

http://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Eval

Note that eval is simply a way to use a wide range of functions, e.g. rounding numbers, playing with time and field manipulation.

stats and timechart are probably the most frequently used aggregation commands

Always make your search as specific as possible to make the amount of data you are processing as small as possible.

Google will give you tons of examples of how to search.

Know how to use subsearches - these are useful

Learn about lookups

As an admin, you should know about using tstats, for an efficient way to search types of data

And forget the concept of SQL 'join' if you come from a SQL background. It's a rare case when you have to use join to search - there are almost always more efficient ways of performing the same task.

And remember, with Splunk search, there is ALWAYS more than one way to get to the same answer - some ways are more efficient than others, so don't wonder too hard that you have done it the 'right' way.

Capture your search snippets somewhere - it's easy to forget how to use a command unless you use it regularly, so save those cool searches you write somewhere 😀

There are some really good people in the community who are prepared to help with questions you may have, so ask away.

Excuse me for tagging you guys below, but if you have any other useful tips or resources ...

@ITWhisperer @gcusello @richgalloway @isoutamo @kamlesh_vaghela @PickleRick @venkatasri 

View solution in original post

Ab_Splunk
Engager

Thank you all for responding back. This really does help! 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Yes @PickleRick - totally agree about subsearches

0 Karma

gjanders
SplunkTrust
SplunkTrust

While some of the links are dated these posts are still relevant https://community.splunk.com/t5/Knowledge-Management/Hungry-Newbie-Best-way-to-learn-Splunk-well-eff...

Along with the linked posts from there, splunk how to on YouTube, and https://youtube.com/c/SiddharthaChakraborty

Siddhartha is a SplunkTrust member as well 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

I assuming you have some Splunk knowledge if you have been hired as a Splunk admin/analyst...

Other than formal, paid for training, the Splunk Answers community has a good repository of knowledge in its answers. The Splunk Slack usergroup also has a 'search-help' channel

https://splunk-usergroups.slack.com/archives/CD8B6F65Q

As you are likely to have real data to play with, probably a good way to go is to ask yourself some questions about what you would like to find out from that data and how you would like to visualise it and set about solving those examples.

Some basic things to start with

Arm yourself with the list of commands you have available

https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/ListOfSearchCommands

Know that you will need to know about regular expressions to use the 'rex' command

http://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Rex

The eval command is a Swiss Army knife and you will almost always use it for something

http://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Eval

Note that eval is simply a way to use a wide range of functions, e.g. rounding numbers, playing with time and field manipulation.

stats and timechart are probably the most frequently used aggregation commands

Always make your search as specific as possible to make the amount of data you are processing as small as possible.

Google will give you tons of examples of how to search.

Know how to use subsearches - these are useful

Learn about lookups

As an admin, you should know about using tstats, for an efficient way to search types of data

And forget the concept of SQL 'join' if you come from a SQL background. It's a rare case when you have to use join to search - there are almost always more efficient ways of performing the same task.

And remember, with Splunk search, there is ALWAYS more than one way to get to the same answer - some ways are more efficient than others, so don't wonder too hard that you have done it the 'right' way.

Capture your search snippets somewhere - it's easy to forget how to use a command unless you use it regularly, so save those cool searches you write somewhere 😀

There are some really good people in the community who are prepared to help with questions you may have, so ask away.

Excuse me for tagging you guys below, but if you have any other useful tips or resources ...

@ITWhisperer @gcusello @richgalloway @isoutamo @kamlesh_vaghela @PickleRick @venkatasri 

PickleRick
SplunkTrust
SplunkTrust

I'd say visit the community often, look what questions people have and what solutions people propose, try to think of your own solutions and compare them with other people's proposals. That's been (and still is) a great source of knowledge for me.

The most "difficult" part for some people - at least from what I see on the community - is that Splunk works differently from - for example - RDBMS. And you write your searches to behave differently that you would do, let's say, in SQL.

Unfortunately, the https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/SQLtoSplunk is not a very good source of good practices. It's a document many newcomers find early on and try to "think in SQL and translate to SPL" but it simply doesn't work that way.

It's useful if you have some experience with bash scripting because the pipes in SPL are not purely decorative - they work in a very similar way that passing data in bash pipelines work so if you've learned the intuition of passing the data between subsequent steps, it's very helpful.

Oh, and adding to your reply, @bowesmana, learn how not to use subsearches unless absolutely necessary. 😉

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...