Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to learn and master Splunk searches?

macadminrohit
Contributor
‎04-29-2018 11:59 AM

What is the best way of mastering the Splunk development in terms of writing splunk searches and other development in Splunk?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎04-29-2018 12:24 PM

Basically it boils down to one thing: experience

However, there is different ways to get it.

  • Do it. Build lots of searches, fail miserably, learn, improve, fail harder, learn more.
  • The Advanced Searching and Reporting course. I learned a bunch of really good tips there, it's definetely worth the time/money.
  • Stick around in the community. Here on Answers, on Slack, etc. People will post their problems, and you can either try to solve them, or you can just observe and listen how more experienced people will do that. I'd consider this a really good way, because you don't need to make EVERY mistake by yourself - let others make them and learn from it. 😉
  • There are some really good .conf presentations, take a look at those slides.

Hope that helps you!

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎05-01-2018 12:58 AM

Read About Search Optimization Documentation, specially, Write Better Searches

Also check out Best Practices in Splunk .conf Sessions (PS: I have given 2017 .conf session link, however, you can get the .conf Archive Search App from Splunkbase for searching across various years of .conf Sessions which gets updated every year.

If you intend to use Post Processing you can check out Post Processing Best Practices

If you are using lookup command/geostats/iplocation etc you should see the feasibility of using transforming command first ollowed by the lookup. Refer to documentation on Lookup Optimization.

Once your searches/reports/dashboard/alerts start to get into shape, start using as many Knowledge Objects as possible for easy re usability and maintenance of code.

In order to improve performance of Report/Dashboard/Data Model use Summary Indexing based acceleration.

Above all I would agree to what everyone have mentioned about Splunk Answers. Just spend an hour or go through 10-15 questions here daily and you will learn a lot from what tips and tricks that community experts have hidden under their sleeves. I learn something new almost every day 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

macadminrohit
Contributor
‎04-29-2018 08:51 PM

Just wanted to accept all as answers 🙂

Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎04-29-2018 11:58 PM

You can only accept one, but you can upvote as many as you like 😉

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-29-2018 08:23 PM

The best way is to participate in this forum. Pick a few good answerers (the top 10 is a good place to start) and follow them. Also start trying to answer questions and try for ones that are just beyond your grasp. Review the answers with the most votes and the answers to the questions with the most votes. Tear apart the answers, pipe-by-pipe and see how each one works. Get experience by living through the experience of others, then get your own by contributing your own answers.

Reply
Solved! Jump to solution

ssadanala1
Contributor
‎04-29-2018 12:59 PM

I think its kinda trickier question to answer .

The best way might to understand what each command does and trying them on the example data makes you better .

Reply
Solved! Jump to solution

macadminrohit
Contributor
‎04-29-2018 01:32 PM

where do you get the example data?

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎04-29-2018 01:44 PM

Some example data from the Splunk tutorial:
http://docs.splunk.com/Documentation/Splunk/7.1.0/SearchTutorial/Systemrequirements#Download_the_tut...

Some Airline example data:
https://www.transtats.bts.gov/Tables.asp?DB_ID=120

Bunch of datasets from Amazon:
https://registry.opendata.aws/

Good luck 😉

0 Karma
Reply
Solved! Jump to solution

ssadanala1
Contributor
‎04-29-2018 01:36 PM

You need to get well with evengen app which generates example data

https://splunkbase.splunk.com/app/1924/

0 Karma
Reply
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎04-29-2018 12:24 PM

Basically it boils down to one thing: experience

However, there is different ways to get it.

  • Do it. Build lots of searches, fail miserably, learn, improve, fail harder, learn more.
  • The Advanced Searching and Reporting course. I learned a bunch of really good tips there, it's definetely worth the time/money.
  • Stick around in the community. Here on Answers, on Slack, etc. People will post their problems, and you can either try to solve them, or you can just observe and listen how more experienced people will do that. I'd consider this a really good way, because you don't need to make EVERY mistake by yourself - let others make them and learn from it. 😉
  • There are some really good .conf presentations, take a look at those slides.

Hope that helps you!

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...