Full Course | Splunk Search and Reporting | All You Need To Know | Zero To Expert.

Edit subtitles

0:00 - 0:04
0:04 - 0:05

Hi, friends.
0:05 - 0:08

This video is about search
and reporting basics.
0:08 - 0:12

So before begin, I
wanted to inform you
0:12 - 0:15

that this topic will
cover a maximum question
0:15 - 0:17

from the fundamental 1 exam.
0:17 - 0:24

So from this topic, around 25%
of questions comes in the exam.
0:24 - 0:26

So please, pay
attention on this.
0:26 - 0:33

So as I earlier mentioned that
everything in Splunk is app.
0:33 - 0:36

So Search and Reporting
is also one of the app.
0:36 - 0:40

So let's go to Search
and Reporting app.
0:40 - 0:46

So once you click on that, it
will go to this window here.
0:46 - 0:48

I have already
explained about it.
0:48 - 0:53

Just go to that video and have a
look of what all functionality.
0:53 - 0:56

This is called a search bar.
0:56 - 1:00

So search bar-- how to--
1:00 - 1:04

in a Google search bar,
if you type something,
1:04 - 1:06

it will give you some results.
1:06 - 1:11

So similarly, it's a Google for
your logs, whichever you have
1:11 - 1:13

ingested in your environment.
1:13 - 1:20

So if you want to search
anything, just start with error.
1:20 - 1:22

If anything is there in your--
1:22 - 1:26
1:26 - 1:29

anything is there-- any
error is there in your log,
1:29 - 1:32

so it will come in the picture.
1:32 - 1:37

So currently, there is
no things called error.
1:37 - 1:45

So let me search with some
other fatal or no fail.
1:45 - 1:47

There is nothing called fail.
1:47 - 1:52
1:52 - 1:54

So there is no
error in my system.
1:54 - 1:56

So let's start with some other--
1:56 - 2:00
2:00 - 2:01

the keyword info.
2:01 - 2:08

So I will click on it, and it
should show some info because I
2:08 - 2:11

haven't given any index.
2:11 - 2:13

So before that, it
should have some index.
2:13 - 2:16
2:16 - 2:17

Internal.
2:17 - 2:20
2:20 - 2:25

And I'll call it as info.
2:25 - 2:26

So it should come like--
2:26 - 2:29

first, you need to
mention any of the index
2:29 - 2:33

in the environment,
whatever index is there.
2:33 - 2:34

And then you go for the keyword.
2:34 - 2:38

Now, main thing you
need to understand here
2:38 - 2:42

is if you type it, there will
be some assistance will come
2:42 - 2:48

in picture, like all
keywords you can use it
2:48 - 2:52

and all things you
can match it through.
2:52 - 3:03

So you can continue whatever
in your mind to type.
3:03 - 3:06

Or if you know everything,
you can do by your own,
3:06 - 3:09

or it will suggest the--
3:09 - 3:13

Splunk assist you on that.
3:13 - 3:17

So once you type pipe, it
will give you all the commands
3:17 - 3:18

which is related to--
3:18 - 3:22

or you have earlier used, or it
will give you some assistance,
3:22 - 3:24

that these command you can use.
3:24 - 3:28

And if you hovering over it--
3:28 - 3:31

you are hovering over it, you
can see the definition of it
3:31 - 3:32

comes in.
3:32 - 3:35

If you want to learn more,
you can click on More
3:35 - 3:39

and go to your search or do--
3:39 - 3:46

go to the help, and you
can work over there.
3:46 - 3:47

So like this.
3:47 - 3:52
3:52 - 3:57

See, the things are--
3:57 - 4:00

if you want to--
say, if you say I
4:00 - 4:03

want to type a chart
or stats command,
4:03 - 4:05

I want to use
statistics command.
4:05 - 4:10

So it will assist what can
you do with the stats command.
4:10 - 4:15

You want to do count or you want
to do the count by host or count
4:15 - 4:16

by something.
4:16 - 4:20

So these all things will come
first or everything will come.
4:20 - 4:22

So it will assist you.
4:22 - 4:26

And how to access that--
4:26 - 4:28

how to enable this or disable.
4:28 - 4:31

By default, it is enabled, but
it is enabled in compact mode.
4:31 - 4:39

So you need to go to
admin preferences or user.
4:39 - 4:42

If your user, it will show user.
4:42 - 4:43

I am admin.
4:43 - 4:44

That's why it is
showing me admin.
4:44 - 4:50

So preferences, SQL editor.
4:50 - 4:55

And here, you can see currently
the assistant mode is compact.
4:55 - 4:57

If you want to do
full assistance,
4:57 - 4:59

you can do it full assistance.
4:59 - 5:01

Though I have already
covered this topic
5:01 - 5:04

in my previous videos,
just I will inform.
5:04 - 5:10

If you click this, it will
give you more information
5:10 - 5:12

about the command.
5:12 - 5:17

So you can see the
difference stats.
5:17 - 5:22

Now, the command will come
history command, or command
5:22 - 5:23

history, or something.
5:23 - 5:25

The assistance will come.
5:25 - 5:30

Now here, the example or the
details about that command
5:30 - 5:31

will come.
5:31 - 5:32

You can see it here.
5:32 - 5:34

You want to-- if you want
to click on More or Help,
5:34 - 5:40

it will give you currently
auto-selection is open.
5:40 - 5:42

Auto-open.
5:42 - 5:46

If you want to do auto-open,
you can select or unselect it.
5:46 - 5:52
5:52 - 5:55

Now, working with parenthesis
in assistance mode.
5:55 - 6:00

Like if you want
to put parentheses
6:00 - 6:05

the matching parenthesis
is there, it will say--
6:05 - 6:09

it will highlight the
matching parenthesis.
6:09 - 6:12

If there is no parenthesis, it
will not highlight anything.
6:12 - 6:14

So this is how the
assistance will work.
6:14 - 6:17
6:17 - 6:23

If in case you forget to
put the parenthesis-- so
6:23 - 6:27

for individual
opening parenthesis,
6:27 - 6:29

there will be a
closing parenthesis.
6:29 - 6:32

So this is how you can
identify whether you
6:32 - 6:35

used the correct number
of parenthesis or not.
6:35 - 6:38
6:38 - 6:40

Now, when you use
any search, it will
6:40 - 6:43

give you result immediately.
6:43 - 6:48

And the result will be in
reverse chronological order.
6:48 - 6:50

That means that the
latest event come first
6:50 - 6:56

and the oldest event
will come last.
6:56 - 6:59

If you want to search
the oldest event,
6:59 - 7:04

you want to run reverse command.
7:04 - 7:07

So you can see the oldest first.
7:07 - 7:09
7:09 - 7:14

Also, you can see the
term which we have used
7:14 - 7:21

is highlighted in
the result itself.
7:21 - 7:24

Here, you can see whatever
field you will put,
7:24 - 7:26

it will highlight over there.
7:26 - 7:33

Now, whenever you search for any
events or anything, there are--
7:33 - 7:35

number of field
comes automatically.
7:35 - 7:41

And those are the timestamp,
and timestamp of event, host,
7:41 - 7:46

source, source type, and index.
7:46 - 7:49

So these are the major
things come by default.
7:49 - 7:51

If you do not
specify, it will come.
7:51 - 7:54
7:54 - 8:00

So this thing needs to be
taken under consideration
8:00 - 8:04

that whenever you--
8:04 - 8:10

so let's see what all other
things are there in the result.
8:10 - 8:14

So you can see here, the events.
8:14 - 8:16

The events is shown here.
8:16 - 8:18

You can see events.
8:18 - 8:19

The second one is--
8:19 - 8:22
8:22 - 8:26

this is called a
time range picker.
8:26 - 8:28

This is called a
time range picker,
8:28 - 8:34

where you can select time
for which you want the data.
8:34 - 8:42

And this is called
a field sidebar,
8:42 - 8:45

where you can see the selected
fields and interesting fields.
8:45 - 8:50

Selected field means when you
click it and you said yes,
8:50 - 8:52

so it will come
in selected field.
8:52 - 8:58

And again, if you do not want to
include it here, you can click.
8:58 - 9:03

This is the time stamp and other
metadata attached to your event.
9:03 - 9:06
9:06 - 9:08

Paginator.
9:08 - 9:11

So here, we can see
a paginator, where
9:11 - 9:14

you can go to multiple pages.
9:14 - 9:17

One by one, you can go to Pages.
9:17 - 9:20
9:20 - 9:25

And also, a timeline format--
9:25 - 9:27

how you want it--
9:27 - 9:29

compact, full, hidden.
9:29 - 9:31

So this is a timeline pattern.
9:31 - 9:40

This is a small
representation of your data--
9:40 - 9:44

at what time your
data has come--
9:44 - 9:49

you can see, I have a data on--
9:49 - 9:53

these main number of data
is there on Saturday.
9:53 - 9:55

This is the date and everything.
9:55 - 9:58
9:58 - 10:00

This is called Hold Event.
10:00 - 10:05

And also, I have explained
you these are the metadata.
10:05 - 10:07

And this is generally
a selected field,
10:07 - 10:09

which you select over here.
10:09 - 10:13

So those will come over there.
10:13 - 10:17

So you can see, if I do that,
the selected field, it has added
10:17 - 10:19

a new selected field over here.
10:19 - 10:22

If I unselect it,
it will go off.
10:22 - 10:25

So you can see it.
10:25 - 10:26

So this is Event.
10:26 - 10:28

All the events come over here.
10:28 - 10:30

And this is a Search Mode--
10:30 - 10:33

in what mode you want
to run the search.
10:33 - 10:37

So about this Search
Mode, I'm going
10:37 - 10:43

to create a video in our next
part, that is fundamental 2.
10:43 - 10:46

So for now, you need to consider
how many modes are there.
10:46 - 10:50
10:50 - 10:52

If you want to modify
your search according
10:52 - 11:01

to your results, you can do that
as well over any specific value.
11:01 - 11:04

So it will get highlighted.
11:04 - 11:06

And now, if you
click over here, it
11:06 - 11:11

will say if you want to
add this value in search,
11:11 - 11:15

or exclude, or open a new
search-- if you will add,
11:15 - 11:18

it will get added and it will
search according to that.
11:18 - 11:20

If you want to exclude it--
11:20 - 11:21

remove-- it will get removed.
11:21 - 11:26

Also, a particular thing,
if you want to exclude it,
11:26 - 11:27

you can exclude as well.
11:27 - 11:31

It will say not for
that particular.
11:31 - 11:34
11:34 - 11:42

Also, if you want to open
that in a new search,
11:42 - 11:45

it will get opened
in the new search.
11:45 - 11:48

It will open a new search.
11:48 - 11:52

So similarly, you can use
this function as well.
11:52 - 11:55

Now, again, if you
can see in the event
11:55 - 11:59

there are 50 events per page.
11:59 - 12:01

If you want, you can
increase it to 10--
12:01 - 12:06

or you can decrease or
increase it to 50 per page.
12:06 - 12:08

Now, again, how you
want to see the data--
12:08 - 12:11

this is in the List format.
12:11 - 12:15

So here, you can see a raw
format, where the data will
12:15 - 12:17

be shown as raw table--
12:17 - 12:19

that it will show in table.
12:19 - 12:23

By default, it's in List format.
12:23 - 12:27
12:27 - 12:30

That is called a
layout of your event.
12:30 - 12:36

So now, if you go
to Time Range, there
12:36 - 12:40

are different-- if you want
to choose a particular time
12:40 - 12:43

range from where you want
to get the data-- this
12:43 - 12:48

is a present time range,
where it has a relative time.
12:48 - 12:49

This is the relative time.
12:49 - 12:50

This is the real time.
12:50 - 12:53

So real time, it
means it will search
12:53 - 12:55

for the data in real time.
12:55 - 12:57

It will look for--
12:57 - 13:00

say, if you selected
five minutes of data--
13:00 - 13:03

if you select it,
it continuously
13:03 - 13:06

will looking for the data
for last five minutes.
13:06 - 13:08

Means it's a real-time searches.
13:08 - 13:12

So continuously, it will
be looking for the data.
13:12 - 13:17

So similarly, there
are customized fields--
13:17 - 13:19

customized time picker is there.
13:19 - 13:22

So relative time picker, if
you want to select a relative
13:22 - 13:25

or real-time--
13:25 - 13:29

again, I'd shown the
real-time date and and range,
13:29 - 13:31

date and time
range, and advance.
13:31 - 13:36

So these are the time
picker, where you can search
13:36 - 13:40

the data for a particular time.
13:40 - 13:42

So these are called--
13:42 - 13:46

the below-- and these are
called advanced time picker.
13:46 - 13:47

These are called
Advanced Time Picker.
13:47 - 13:52

If you want-- if you go
to Advanced Time Picker--
13:52 - 13:53

as it is shown--
13:53 - 14:00

Advanced Time picker, there is a
abbreviation, like h for hours,
14:00 - 14:07

s for second, m for minute,
d for days, weeks, months,
14:07 - 14:10

and year-- y for year.
14:10 - 14:15

Mo and mon is for month.
14:15 - 14:18

Week, you need to use w.
14:18 - 14:20

So what it means--
14:20 - 14:22

so whenever you have put like--
14:22 - 14:26

it will search for a specific--
14:26 - 14:35

say, if you have
put 30 minute and--
14:35 - 14:41

30 minute, and you have at hour.
14:41 - 14:46

So if your event has come--
if you have ran the search
14:46 - 14:57

for, say, 10:35 m-- if
you run that command--
14:57 - 15:03

and you are looking for
past 30 minutes of time,
15:03 - 15:07

so the data will be
fetched for 10:00.
15:07 - 15:13

Not 10 past 5.
15:13 - 15:16

It will not search for 10 past
5 because you have rounded off
15:16 - 15:17

for hours.
15:17 - 15:19

So it will check for
a particular hour,
15:19 - 15:22

a specific value--
specific hour.
15:22 - 15:30

So it will search for
10:00 AM, instead of 10, 5.
15:30 - 15:34

So this is the
abbreviation we use.
15:34 - 15:38
15:38 - 15:41

Also, when we talk
about a time range--
15:41 - 15:53

so there are-- in search itself,
you can use earliest time--
15:53 - 15:55

if you say it, hour.
15:55 - 16:02

So this will search
for past hour--
16:02 - 16:03

past one hour.
16:03 - 16:07

It will search for the
data past one hour.
16:07 - 16:09

Now, if you want to put--
16:09 - 16:16

there are some other things
are there, like, say,
16:16 - 16:34

if you want to put in the
latest will be at the rate T.
16:34 - 16:38

So I think there
is no data for--
16:38 - 16:41

for past two days,
there is no data
16:41 - 16:44

because I have installed
the instance right now.
16:44 - 16:49

But it will search for last--
16:49 - 16:56

look back from two days ago
up to the beginning of today.
16:56 - 16:59

It will look back
for two days ago,
16:59 - 17:05

and the latest event will
be the beginning of the day.
17:05 - 17:09

So similarly, you can use a
time range-- specific time range
17:09 - 17:11

if you want to know.
17:11 - 17:16

I will put a certain date,
where I want to search the data.
17:16 - 17:19
17:19 - 17:29

So you need to
give a time, 12:30.
17:29 - 17:35
17:35 - 17:37

So it will search for
that particular time.
17:37 - 17:42
17:42 - 17:45

So similarly, you can
use the earliest time--
17:45 - 17:49

and from that time
until now-- that's
17:49 - 17:50

why it is showing the data.
17:50 - 17:53
17:53 - 18:00

So this is-- you can use a time
range in the search itself.
18:00 - 18:03

Now, when you see
the data over here,
18:03 - 18:07

you can see some bars over here.
18:07 - 18:14

And inside, you can see how the
time range is for-- how the time
18:14 - 18:16

range is for this bars.
18:16 - 18:18

Like for every one
minute-- currently,
18:18 - 18:20

it is showing every
one minute per column.
18:20 - 18:23

So this is showing a data
for every one minute.
18:23 - 18:27

Now, this bar chart, if
you select any of it--
18:27 - 18:32

now, if you hover it, it
will show you the event
18:32 - 18:33

for that particular time.
18:33 - 18:37

But there is no change in
the result of the event
18:37 - 18:39

or there is no
change in the search.
18:39 - 18:41

You can see there is no
change in the search--
18:41 - 18:43

or no change in this.
18:43 - 18:51

Once you click over here,
you can see the 313 events
18:51 - 18:52

at that particular time.
18:52 - 18:54

And now, you can see
the result also, 313.
18:54 - 18:57

So it will change the
result, but still it
18:57 - 19:00

won't change the search.
19:00 - 19:05

So this question
will come in exam.
19:05 - 19:09

So if you want to select,
deselect-- you can deselect,
19:09 - 19:12

and it will go back to
that particular event
19:12 - 19:14

and that main search.
19:14 - 19:17

Now, again, there are certain--
19:17 - 19:20

other options are there.
19:20 - 19:20

Zoom out.
19:20 - 19:23

If you want to zoom
out, you can zoom out.
19:23 - 19:26
19:26 - 19:29

For that particular
time, you can zoom out.
19:29 - 19:32

Zoom out again.
19:32 - 19:35

You can see the difference.
19:35 - 19:37

It will show now--
19:37 - 19:39

earlier, it was
showing for-- past--
19:39 - 19:42
19:42 - 19:44

the column for every one minute.
19:44 - 19:48

Now, it is showing
for every hour.
19:48 - 19:51

So in this particular hour,
these many events are there.
19:51 - 19:52

Now, if you--
19:52 - 19:55

I don't think so--
19:55 - 19:56

yeah.
19:56 - 19:57

It's zooming again and again.
19:57 - 20:01

This will zoom per day.
20:01 - 20:06

I'll click Zoom to select.
20:06 - 20:10

Now, it will go
back to per hour.
20:10 - 20:13

Again, I will select.
20:13 - 20:15

It will go to per minute.
20:15 - 20:21

Now, again, select, it
will go to per second.
20:21 - 20:24
20:24 - 20:28

So this is how it will work.
20:28 - 20:33

Also, there is-- you can
select a time format, how
20:33 - 20:40

you want to run the format,
like hidden, compact, line, log
20:40 - 20:41

scale.
20:41 - 20:45

If you want to select log scale,
it will show it like this.
20:45 - 20:48

Full or compact--
full and compact.
20:48 - 20:50

Currently, it is compact.
20:50 - 20:52

Or you want to hide,
you can hide it
20:52 - 20:55

if you do not want to see it.
20:55 - 20:59

So this is called
timeline and its settings.
20:59 - 21:02

There is one more thing
you need to keep in mind.
21:02 - 21:04

When you do zoom in, zoom out--
21:04 - 21:09

so at that time, the
search will rerun.
21:09 - 21:11

Zoom in, zoom out.
21:11 - 21:14

If you can see, the
search will rerun.
21:14 - 21:18

So if you want-- if you just
select it, the search won't run.
21:18 - 21:21

Just the events get filtered.
21:21 - 21:27

So this type of question
can come in the exam.
21:27 - 21:31

So pay more attention on that.
21:31 - 21:33
21:33 - 21:37

Here, if you can see,
there is a job inspector.
21:37 - 21:42

If you want to-- if anyone want
to troubleshoot their search
21:42 - 21:46

or trouble-- or identify the
performance of their search,
21:46 - 21:49

they can do it through
the job inspector.
21:49 - 21:53

So we have a job inspector.
21:53 - 21:56

So you can click over
here, and you can see
21:56 - 21:59

how your search is performing.
21:59 - 22:03

So this job inspector,
if you want to add--
22:03 - 22:07

currently, the
setting is to keep--
22:07 - 22:12

that particular job is for 10
minutes by default setting.
22:12 - 22:15

If you go and edit,
you can edit it.
22:15 - 22:18

If you want to keep
it private, public,
22:18 - 22:20

permission to app or something.
22:20 - 22:23

Everyone-- if you click on
everyone, everyone can see it.
22:23 - 22:27

If you want to
keep a time to see
22:27 - 22:34

if the job will stay in the
Splunk for 10 minute by default
22:34 - 22:36

and if you want to change
it, you can change it.
22:36 - 22:43

If you want to share this
particular inspection to anyone,
22:43 - 22:44

you can share it.
22:44 - 22:48

You can copy and share
it to anyone you want.
22:48 - 22:53

So that you can save a time
of running this search again
22:53 - 22:53

and again.
22:53 - 22:55

Just you can send
the result to them.
22:55 - 22:58

So this is how you can--
22:58 - 23:00

this will help you--
the job inspector
23:00 - 23:02

will help you in investigation.
23:02 - 23:07
23:07 - 23:11

Also, you can perform
some other operation--
23:11 - 23:16

pause, stop, share
this particular search,
23:16 - 23:18

You can print and download.
23:18 - 23:20

You can print to PDF.
23:20 - 23:25

If you want to print this
to PDF, you can do it.
23:25 - 23:29

And if you want to
download to CSV,
23:29 - 23:31

you can do CSV or
any other format--
23:31 - 23:34

raw format, XML, JSON.
23:34 - 23:37

You can do it.
23:37 - 23:39

You can export to it.
23:39 - 23:47

Like here, I can export to Test.
23:47 - 23:50

So it will get exported,
and it will get saved
23:50 - 23:52

in your local environment.
23:52 - 23:56
23:56 - 23:59

Also, keep in mind how
many types of format
23:59 - 24:03

you can download for
a particular app.
24:03 - 24:07

So this question
can come in exam.
24:07 - 24:09

So keep in mind.
24:09 - 24:12
24:12 - 24:14

Now, if you have
already ran the search
24:14 - 24:19

and if you want to go to
inspect the job-- so you
24:19 - 24:24

can go from-- from
Activity, you can go to job.
24:24 - 24:29

And you can search for a
specific job when you have.
24:29 - 24:33

So here, you can see the job.
24:33 - 24:34

This job you have run.
24:34 - 24:37
24:37 - 24:42

So if you want to delete or
do any operation on this job.
24:42 - 24:46

So generally, what happens
is this job is taking--
24:46 - 24:48

a job is taking long.
24:48 - 24:53

So it will get-- it go to some
other state apart from done
24:53 - 24:57

or from here itself, you can
go to some other activity
24:57 - 25:01

like if you want to
edit, you want to extend
25:01 - 25:04

or inspect or delete the job.
25:04 - 25:08

You can do that,
inspect or delete.
25:08 - 25:14

Delete when this jobs got
stuck or when jobs get stuck,
25:14 - 25:17

it won't allow other
jobs to complete.
25:17 - 25:22

So you need to delete
the job forcefully
25:22 - 25:25

to run the other searches.
25:25 - 25:29

So this is how it will help you.
25:29 - 25:32

There is one more thing,
the search history.
25:32 - 25:34

So you can see the search
history is over here.
25:34 - 25:37

Whatever searches you have run.
25:37 - 25:43

So go to Splunk search.
25:43 - 25:48

And from here, you
can go down and select
25:48 - 25:50

for the search history.
25:50 - 25:57

So by default you can
see 20 searches per page.
25:57 - 26:00

So you want to select
as per your need.
26:00 - 26:08

Also time picker, you want to
see two days or any other days
26:08 - 26:10

you can see it.
26:10 - 26:13
26:13 - 26:20

So let's recap this session.
26:20 - 26:28

So I've shown you how can you
search a particular search term.
26:28 - 26:31

So first of all, you need
to give the index name.
26:31 - 26:33

So any index name you
can provide and search
26:33 - 26:41

for a particular search
term in your index.
26:41 - 26:47

Now, it will this is
called a search assistance.
26:47 - 26:52

And like see if once
you search for it
26:52 - 26:58

will give you a certain
match assistance where
26:58 - 26:59

you can select--
26:59 - 27:03

either you can select or you
can write your own searches.
27:03 - 27:06

So here it will show
some other details.
27:06 - 27:10

How to navigate to that--
how to select that you
27:10 - 27:13

want to go to preferences.
27:13 - 27:17

Go to SPL editor.
27:17 - 27:20

And if you want to
select any compact none.
27:20 - 27:22

If you select none, it
won't show anything.
27:22 - 27:25
27:25 - 27:30

So this is about
search assistance.
27:30 - 27:40

Next one is if you want to
like about the parentheses,
27:40 - 27:44

there are like if you have
selected search assistant
27:44 - 27:46

it will assist you
about the parentheses
27:46 - 27:50

as well whether it match
the parentheses or no.
27:50 - 27:55

If you can see there is no
match it won't highlight.
27:55 - 28:01

Now it will highlight
the adjacent parentheses.
28:01 - 28:05

We have seen the
other things as well.
28:05 - 28:06

When you search,
it will give you
28:06 - 28:12

the immediate result and the
term which you have searched,
28:12 - 28:15

it will get
highlighted over here.
28:15 - 28:18

And the events will be in
chronological-- reverse
28:18 - 28:20

chronological order.
28:20 - 28:22

The latest event
will be on the top
28:22 - 28:27

and the oldest event
will be at the last.
28:27 - 28:30

So there are multiple
things by default. Things
28:30 - 28:37

comes with the event and we can
say Splunk extract those things.
28:37 - 28:43

First is timestamp host
source type and index.
28:43 - 28:50

So how the search
results get means
28:50 - 28:54

what all the other things are
there when you run the search.
28:54 - 28:56

Here is the events.
28:56 - 28:59

You can see the events.
28:59 - 29:06

So time picker and the
fields, the interesting field
29:06 - 29:07

or selected fields.
29:07 - 29:09

You can see it over here.
29:09 - 29:14

Time stamp is this time--
this is the time stamp.
29:14 - 29:16

Paginator.
29:16 - 29:21

This is called a paginator
where you can go to the page.
29:21 - 29:22

This is called the event.
29:22 - 29:25

This whole bunch
is called event pan
29:25 - 29:27

and this is a
particular events event.
29:27 - 29:29

So you can show here.
29:29 - 29:33

And then in the
bottom of the event,
29:33 - 29:35

you can see the selected fields.
29:35 - 29:38

You can add or delete the
selected fields over here.
29:38 - 29:41
29:41 - 29:49

Now, you can include or
exclude any from the search.
29:49 - 29:51

You can include exclude
any of the searches
29:51 - 29:56

like you can add exclude or
you can run a new search.
29:56 - 29:59

So this is how you can use it.
29:59 - 30:03

You want-- how you want
to display your event.
30:03 - 30:06

So you can edit that as well.
30:06 - 30:08

Raw event or table.
30:08 - 30:11
30:11 - 30:14

About the time picker, we have
discussed about the time picker.
30:14 - 30:15

Like this is a
present time picker.
30:15 - 30:17

And these are the advanced one.
30:17 - 30:23

We have checked about a
abbreviation of these--
30:23 - 30:25

Abbreviation of this.
30:25 - 30:30

We can use S for second, M for
minute, H for hour, D for day,
30:30 - 30:35

W for week, Mo for
month, and Y for years.
30:35 - 30:39

So this is a snap to
time until you specify.
30:39 - 30:43

So I like--
30:43 - 30:44

I have already explained it.
30:44 - 30:49

So you can go through you
can rewind that video.
30:49 - 31:00

So we have checked about how
can you use time range in--
31:00 - 31:02

time range in your
search itself.
31:02 - 31:07

So you need to use earliest
is equal to some value or R
31:07 - 31:08

or something.
31:08 - 31:10

So it will give
you a last R data.
31:10 - 31:11

And so on.
31:11 - 31:13

You can use and you can
use the latest one as well.
31:13 - 31:20
31:20 - 31:23

So latest, whatever, now.
31:23 - 31:25

By default, it is now, but
I am giving, for example,
31:25 - 31:27

I am giving it now.
31:27 - 31:32

So you can do
manipulation as your own.
31:32 - 31:37

Now, we have talked about
that format timeline.
31:37 - 31:41

This is called a timeline,
where for here, it
31:41 - 31:45

will show how the data
is displayed over here.
31:45 - 31:48

Currently, you can see
one minute per column.
31:48 - 31:52

Now, you get to hover over here.
31:52 - 31:55

It will show-- until
you have not selected,
31:55 - 31:59

it will show the events without
filtering or changing events.
31:59 - 32:02

So once you select it, it
just changed the event.
32:02 - 32:07

So it just filter the
event, not rerun the search.
32:07 - 32:10

So if you want, you can
deselect it from here.
32:10 - 32:13

When you Zoom in and
Zoom out at that time,
32:13 - 32:15

it will filter
the events as well
32:15 - 32:18

as it will rerun the search.
32:18 - 32:19

OK.
32:19 - 32:23

This is the main thing
you need to understand.
32:23 - 32:31

So you can do pause, stop,
or search with your events
32:31 - 32:32

and you can print.
32:32 - 32:35

Also, you can export the data.
32:35 - 32:36

OK.
32:36 - 32:38

There are multiple.
32:38 - 32:41

You can see there are multiple
modes are there of search
32:41 - 32:44

fast, smart, and
verbose modes are there.
32:44 - 32:48
32:48 - 32:53

And the job, Inspector
means from job settings
32:53 - 32:55

you can do whatever
you want to do.
32:55 - 32:59

You can make it private,
public, lifetime, how for,
32:59 - 33:05

how much time the job should
be there once it is completed.
33:05 - 33:11

So you can edit that as well.
33:11 - 33:16

Apart from that, here we
have covered all the things
33:16 - 33:17

with respect to this.
33:17 - 33:21

Apart from that, if you
have run the search in past
33:21 - 33:25

and you want to inspect the job
or do anything with the job,
33:25 - 33:32

so you can go here and do those
things, like here, you can see.
33:32 - 33:35

If you want to go to
history of your searches,
33:35 - 33:39

you can go in search
and reporting app,
33:39 - 33:44

then from there you can
go to search history.
33:44 - 33:47

Here you can see
all the histories.
33:47 - 33:51

So that's it about this topic.
33:51 - 33:57

So-- Hi, friends.
33:57 - 34:01

So today's topic is
fields and Splunk.
34:01 - 34:09

So we will see what
is fields and what
34:09 - 34:11

is the importance
of fields in Splunk.
34:11 - 34:18

So before that, I just want to
give you a brief about an event.
34:18 - 34:23

Whenever the Splunk
gets a data into index,
34:23 - 34:28

so the data comes in
the form of events.
34:28 - 34:32

So until you have not specified,
by default it's an event.
34:32 - 34:36

We can ingest the data in
the form of metrics as well.
34:36 - 34:40

So by default, it
comes as a event.
34:40 - 34:43

Each and every data
comes as an event.
34:43 - 34:45

So what are fields?
34:45 - 34:51

So, generally, a field is a
K value pair in the Splunk
34:51 - 34:55

where it has a key and a value.
34:55 - 34:58

Like, for example,
we have index.
34:58 - 35:05

And index is a key and its
value is internal_index.
35:05 - 35:06

Now, you hit Enter.
35:06 - 35:10

So against that,
it has some values,
35:10 - 35:14

or it can, in some
scenario, it is possible
35:14 - 35:19

that event does not have a
value for that particular field.
35:19 - 35:22

So this is a field.
35:22 - 35:27

So y field is very
important because whenever
35:27 - 35:29

you search with
the field, it will
35:29 - 35:31

give a certain value to you.
35:31 - 35:34

Otherwise, it will
search over all the data.
35:34 - 35:38

So this is the
significance of field.
35:38 - 35:41

Now, field can be anything.
35:41 - 35:46

As I mentioned that
index equal to internal.
35:46 - 35:50

So it has given a
event with respect
35:50 - 35:52

to index equal to internal.
35:52 - 35:56

Now, if I want to include
more than one fields,
35:56 - 36:03

so I can do like
space, or I will
36:03 - 36:14

give source is equal to this
version, this particular path.
36:14 - 36:18

So it will give you
the event with respect
36:18 - 36:20

to both of the events.
36:20 - 36:23

So if you have not mentioned
anything in between,
36:23 - 36:26

it means it is an end operation.
36:26 - 36:31

So it is end between them.
36:31 - 36:34

So if I install--
36:34 - 36:37

I run that command, it
will give a similar result.
36:37 - 36:43

So by default, it's end
if you have not specified.
36:43 - 36:46

So if you put R, the
difference will be the result
36:46 - 36:48

will be something different.
36:48 - 36:53

So by default it is end.
36:53 - 36:56

So if you have,
let's say if I want,
36:56 - 37:02

if you see the event
with not, so it will not
37:02 - 37:09

include the event for
this particular value,
37:09 - 37:12

and it will give the
value only for this event.
37:12 - 37:14
37:14 - 37:17

Now, we will talk
about field discovery.
37:17 - 37:21

So Splunk automatically
discovers few of the fields
37:21 - 37:26

based on source type and the K
value pair found in the data.
37:26 - 37:31

So as and when
the data comes in,
37:31 - 37:40

Splunk does its own analysis and
its own like mapping of data,
37:40 - 37:44

so it will provide its own field
by default field, you can say.
37:44 - 37:51

So of-- there are few fields
are there, meta fields
37:51 - 37:54

that I have already explained
in my previous video
37:54 - 37:56

that there are few meta fields.
37:56 - 37:59

One is host, source,
source type, and index.
37:59 - 38:01

So those are meta fields.
38:01 - 38:04

Also, these are the
meta fields, and also it
38:04 - 38:07

has a internal fields
such as underscore
38:07 - 38:08

raw or underscore type.
38:08 - 38:13

So we can see that with this.
38:13 - 38:17

It should have host equals.
38:17 - 38:17

OK.
38:17 - 38:31

We will do like table
host, source, source type,
38:31 - 38:35

and underscore raw.
38:35 - 38:38

So it should give value
for each and every--
38:38 - 38:42

so these 1, 2, 3 and--
38:42 - 38:47
38:47 - 38:49

1, 2, 3 and also index.
38:49 - 38:51

Index, it will come
by default this one.
38:51 - 38:53

So I will give index as well.
38:53 - 38:54

Index.
38:54 - 38:58
38:58 - 39:02

So host, source,
source type, index.
39:02 - 39:07

So these are the meta
fields and _time and _raw,
39:07 - 39:08

its internal fields.
39:08 - 39:14

So these fields come by
default with 10 event.
39:14 - 39:26

If nothing is there, this
field will be there by default.
39:26 - 39:29

So it is also possible
that many of the field
39:29 - 39:33

does not have the value
for that particular index.
39:33 - 39:37

So it can be possible, or
it has more than one values.
39:37 - 39:41
39:41 - 39:45

So how to identify a
specific field in the event.
39:45 - 39:53

So, sometimes, if you can see
here, the throughput equal to--
39:53 - 39:53

sorry.
39:53 - 39:55

The group is equal
to throughput.
39:55 - 40:02

So it defines a clearly K
value pair in the event itself.
40:02 - 40:05

Sometimes, it
depends-- sometimes
40:05 - 40:09

get embedded with
respect to source type.
40:09 - 40:13

So here you can see user admin.
40:13 - 40:18

So in source type, it is defined
that user is equal to admin.
40:18 - 40:23

So likewise, you can
forget the field value.
40:23 - 40:26
40:26 - 40:31

Now, about the
side field bar, you
40:31 - 40:36

can see here, this is the side
field bar where it has selected
40:36 - 40:38

fields and interesting fields.
40:38 - 40:43

Selected fields where,
automatically, there will
40:43 - 40:46

be a three fields get selected.
40:46 - 40:50

Host, source, and source
type, and the rest
40:50 - 40:51

will be interesting fields.
40:51 - 40:58

And if you click on all fields,
the all field will come in here.
40:58 - 41:01

So these are all fields.
41:01 - 41:05

And here, you can see
the interesting fields.
41:05 - 41:08

Now, there are few terms.
41:08 - 41:14

You can see the alphabet and
hash in front of all the fields.
41:14 - 41:15

Alphabet hash.
41:15 - 41:23

So A means it's alphanumerical,
and hash is its number.
41:23 - 41:29

So if you can see this value
will be alphanumerical values.
41:29 - 41:34

And if you click on the
field, which has hash,
41:34 - 41:36

so it will be a number.
41:36 - 41:42

So this difference can
become in the exam.
41:42 - 41:48

Also, if you can see, this has--
41:48 - 41:52

this field has 71 values.
41:52 - 41:56

This field has one value,
and similarly so on.
41:56 - 41:59

So this shows the
occurrence of--
41:59 - 42:06

the distinct occurrence of
this field value in this field.
42:06 - 42:09
42:09 - 42:13

So, again, as I mentioned, if
you click on all the field,
42:13 - 42:18

it will show you all the fields
in that index, whether it
42:18 - 42:26

has come or no, whether it has a
single value or multiple values.
42:26 - 42:29

See the field can have
multiple values as well.
42:29 - 42:34
42:34 - 42:37

Regarding the selected fields,
when you select a field,
42:37 - 42:42

the fields will come in
the bottom of the event.
42:42 - 42:46

So if you select
any of the field,
42:46 - 42:53

let's say I have selected
it, so now you can see here--
42:53 - 42:57

like in this event, the
component value is not there.
42:57 - 43:02

The component
field has no value.
43:02 - 43:07

So here, if you can see the
component matrix component LMS
43:07 - 43:09

stack manager.
43:09 - 43:11

So it will show over here.
43:11 - 43:15

If you unselect it, it will,
again, go off from here.
43:15 - 43:16

You will not be able to see it.
43:16 - 43:19
43:19 - 43:24

And when you select on
all fields, so by default
43:24 - 43:25

it comes 1%.
43:25 - 43:28

So 1% of all the events.
43:28 - 43:34

Now, you can show as much
coverage you want to,
43:34 - 43:38

50% of events, 20%
of all the fields,
43:38 - 43:43

or any fields you want to
search, you can search it over
43:43 - 43:44

here, avg.
43:44 - 43:47

Or once you click
over here, it will
43:47 - 43:50

go to selected field
like this you can see.
43:50 - 43:53
43:53 - 43:57

Now, when we talk about field
window, when you click it,
43:57 - 44:00

this is called a field
window where on the top
44:00 - 44:02

it has a field name.
44:02 - 44:05

The component, and how
many distinct value
44:05 - 44:09

is there, 71, 71
of distinct value,
44:09 - 44:13

and how many percentage
of events are there.
44:13 - 44:20

So it shows 87.911% of events.
44:20 - 44:23

If you want to select,
you can select it.
44:23 - 44:27

Now, report wise, it
will show some statistics
44:27 - 44:33

values, top value, top value
by time, rare value, and so on.
44:33 - 44:37

These are static results.
44:37 - 44:42

So if you click over here, I
will click and it will show--
44:42 - 44:46
44:46 - 44:49

no I need to click
it directly here.
44:49 - 44:53

So it will show top values.
44:53 - 45:01

If I go back, again,
top value by time.
45:01 - 45:04

So you can see
top value by time.
45:04 - 45:07
45:07 - 45:12

Now, if you want
to see rare values,
45:12 - 45:15

so if you can see the
rare values as well.
45:15 - 45:20

Below you can see
these many rare values
45:20 - 45:21

are there and its percentage.
45:21 - 45:28
45:28 - 45:30

You can see one option
event with field,
45:30 - 45:37

so when you click over here,
it will include this field
45:37 - 45:40

in the search, which
is equal to star.
45:40 - 45:45

So if you click on that,
it will show where it
45:45 - 45:47

has the value for this field.
45:47 - 45:51

So if you click
over here, it will
45:51 - 45:55

go ahead and put a component
field is equal to star.
45:55 - 45:59

So it will show all
the events related,
45:59 - 46:02

which has a component field.
46:02 - 46:02

OK.
46:02 - 46:06

So if I remove it, like
you can see it here,
46:06 - 46:09

10,189 events are there.
46:09 - 46:13

If I remove, definitely,
it will increase z.
46:13 - 46:14

You can increase.
46:14 - 46:16

So there are few
events are there, which
46:16 - 46:21

does not have component value.
46:21 - 46:25

Now, if you want to
include a particular value,
46:25 - 46:33

like if you want to see here,
top 10 value will be shown here.
46:33 - 46:37

Like if you want to see the
event with respect to metrics,
46:37 - 46:39

the component is
equal to metrics.
46:39 - 46:41

So directly, you can
click it over here
46:41 - 46:46

and it will load the event
with respect to metrics.
46:46 - 46:48

Component is equal to metrics.
46:48 - 46:52

So this is how you can
directly select it from here.
46:52 - 46:58

If you do not know the name
of that particular field,
46:58 - 47:02

value of that field, so you
can directly select it here.
47:02 - 47:05

You can see the fields here.
47:05 - 47:10

And if I want to select
like group or from group,
47:10 - 47:16

I want to select, I want to see
the events where the group is
47:16 - 47:17

equal to throughput.
47:17 - 47:23

So it will automatically
include this in the event.
47:23 - 47:26

And you can see it over here.
47:26 - 47:34

So this is how the selection
will work from the field window.
47:34 - 47:41

So how can you use
field value or field
47:41 - 47:43

efficiently in your search?
47:43 - 47:47

So when I directly
search, like this
47:47 - 47:56

without any field throughput, so
it will search an entire index.
47:56 - 47:58

It will search
in-- when I specify
47:58 - 48:03

a specific field is equal to
this, it will narrow down.
48:03 - 48:05

It will look only
into this field.
48:05 - 48:12

It will show me the event
related to this field only.
48:12 - 48:17

Now, before that, it
will show an entire--
48:17 - 48:21

it will see an entire field
and will show you throughput,
48:21 - 48:23

like wherever it
finds the throughput.
48:23 - 48:28

I can see the throughput
in name as well.
48:28 - 48:31

Maybe, throughput
over here as well.
48:31 - 48:37

But if I want to see
only in this field,
48:37 - 48:43

it will give me the exact value
or exact event where the group
48:43 - 48:45

name is equal to throughput.
48:45 - 48:49
48:49 - 48:53

Now, there are few
consideration about field.
48:53 - 48:58

That field name
is case sensitive.
48:58 - 49:04

Now, if I, instead
of group, I put this,
49:04 - 49:10

it will not give any result
that because it does not
49:10 - 49:16

find the group with
capital G in the event.
49:16 - 49:19

So this thing you
need to consider.
49:19 - 49:23
49:23 - 49:26

And second one is the group--
49:26 - 49:29

the field value is
case insensitive.
49:29 - 49:34

So if I give throughput, it
will give me some result.
49:34 - 49:40

If I put like this, it
will give me some result.
49:40 - 49:48

So just remember that field
name is case sensitive
49:48 - 49:53

and field value is
case insensitive.
49:53 - 49:57

You also can use wild
card with the field name.
49:57 - 50:00

So I can put group
is equal to star.
50:00 - 50:05

So it will give all the
value with respect to this.
50:05 - 50:20

So if I do dedup of
group and table group,
50:20 - 50:27

so it will give all the
values with respect to group.
50:27 - 50:31

So, as I mentioned, the star
over here, it will look good,
50:31 - 50:38

and then I have remove
the duplicate values.
50:38 - 50:42

And this is how it works.
50:42 - 50:48

So you can use wild
card at any point, but--
50:48 - 50:51

any point, but it is good
that you should not use
50:51 - 50:55

a wild card at the beginning.
50:55 - 51:01

You should always use at the
end like this throughput.
51:01 - 51:10

If it is not used, like say
I'm using somewhere here.
51:10 - 51:13

So if it has a multiple
value in between,
51:13 - 51:20

it will give you a wrong result,
or if you include it over here
51:20 - 51:24

at the beginning, also, it
will give you the wrong result.
51:24 - 51:29

So make sure that you
should use a wildcard
51:29 - 51:32

at the end of the string.
51:32 - 51:40

So initial values, you
need to make it fixed.
51:40 - 51:43
51:43 - 51:49

You can use a relational
operators as well.
51:49 - 51:57

Like I have taken example of
average kbps is greater than 3.
51:57 - 52:03

So it will give you
the result where
52:03 - 52:05

the average is greater than 3.
52:05 - 52:11

So you can make it less than.
52:11 - 52:14

So it will give
you result of that.
52:14 - 52:16

Also, you can use
a NOT operator,
52:16 - 52:28

where if you want to display,
you do not want throughput.
52:28 - 52:31

So it won't include
throughput in it.
52:31 - 52:39

So if you go over here,
earlier it was 31, now it's 30.
52:39 - 52:43

You can see you cannot
see throughput over here.
52:43 - 52:43

OK.
52:43 - 52:49
52:49 - 52:57

So let's see the
difference between NOT
52:57 - 53:03

with this and OP NOT.
53:03 - 53:04

OK.
53:04 - 53:11

So when you type group NOT
is equal to throughput.
53:11 - 53:17

So it will give you the result,
which does not have the group
53:17 - 53:21

value is equal to throughput.
53:21 - 53:30

Now, if you write NOT.
53:30 - 53:33

So what it will
give, it will return
53:33 - 53:43

where the group field exist
and the value in the field
53:43 - 53:47

does not equal to throughput.
53:47 - 53:48

OK.
53:48 - 53:51

This exists, but
the value of field
53:51 - 53:54

does not equal to throughput.
53:54 - 54:01

And all event where throughput
field does not exist.
54:01 - 54:04

Throughput itself not exist.
54:04 - 54:05

So we can see--
54:05 - 54:14
54:14 - 54:28

see, it is giving
similar result.
54:28 - 54:34

So you can see here the
throughput won't be there,
54:34 - 54:37

and you can see
few of the events,
54:37 - 54:44

if I can search it over here,
the throughput, the event
54:44 - 54:46

where the throughput
itself is not there.
54:46 - 54:49

When you select it, it
will come under here.
54:49 - 54:57

So you won't be able to see any
of the selected field over here.
54:57 - 55:01
55:01 - 55:07

So that this field itself
is not exist in the event.
55:07 - 55:09

This field itself is not exist.
55:09 - 55:14

For that event, come
either or the event come,
55:14 - 55:19

which does not have the
value as a throughput.
55:19 - 55:30

So let's compare the result
in both of the scenario.
55:30 - 55:37

It is giving 1,300--
55:37 - 55:41

13,425.
55:41 - 55:43

OK.
55:43 - 55:56

Now, if I put NOT,
it is giving 17,532.
55:56 - 56:03

So when you are using not
equal to, so the result of it
56:03 - 56:08

is a subset of when
you are using an OP.
56:08 - 56:12
56:12 - 56:18

So this one is the subset
of when you are using this.
56:18 - 56:21
56:21 - 56:25

So we are going to
check in what scenario,
56:25 - 56:30

in what condition, both
the scenario giving
56:30 - 56:31

the same results.
56:31 - 56:32

So is it possible or not?
56:32 - 56:37

Yes, it is possible
that when there
56:37 - 56:39

is some field, which
is mandatory, which
56:39 - 56:42

is coming always in the event.
56:42 - 56:45

So in that condition, it will
give you the similar result.
56:45 - 56:53

So like here, this event
always will come in the event.
56:53 - 56:58

So if you give this
host name is equal to--
56:58 - 57:00

is not equal to Splunk.
57:00 - 57:05

So it is giving no result,
but though results are there.
57:05 - 57:10

Now, if I give NOT
hear, it, again,
57:10 - 57:15

will not give a similar
result. So in this--
57:15 - 57:21

it will give no result. So
this is a similar result. OK.
57:21 - 57:28

So in this condition,
where the fields
57:28 - 57:32

we are expecting some value
for that particular field,
57:32 - 57:34

so in that condition, the
event will be similar.
57:34 - 57:39
57:39 - 57:43

So let's go to the
modes of search.
57:43 - 57:46

So there are three
types of mode.
57:46 - 57:49

One, is fast,
smart, and verbose.
57:49 - 57:57

Fast mode is always emphasize
on speed over the completeness.
57:57 - 58:03

So smart mode, this
is a by default mode.
58:03 - 58:08

This will balance between
fast and verbose mode.
58:08 - 58:14

And the verbose mode, it
always completes the search
58:14 - 58:18

and doesn't bother
about the performance.
58:18 - 58:24

So it always emphasize on
completeness over the speed.
58:24 - 58:26

That's all about it.
58:26 - 58:30

Let's recap what we
have learned today.
58:30 - 58:32

So let's recap.
58:32 - 58:35

What we have learned
is everything in Splunk
58:35 - 58:41

comes as an event until you have
not specified as a metrics OK.
58:41 - 58:45

So there are concept called
key value pair in Splunk.
58:45 - 58:48

So we call it as--
58:48 - 58:51

means that the name of that--
58:51 - 58:55

or you can say a key is
nothing but a field name,
58:55 - 58:57

and the value is it's a value.
58:57 - 59:01

So always, the fields comes
in the form of key value pair.
59:01 - 59:04

So it plays an
important role in Splunk
59:04 - 59:07

where you can search a
particular event with respect
59:07 - 59:11

to a particular
value of a field.
59:11 - 59:16

So if you have not mentioned
anything between two fields,
59:16 - 59:22

like this, so always it
will be end operation.
59:22 - 59:27

So, also, there are
few fields, which
59:27 - 59:30

are automatically discovered
that is called a metadata.
59:30 - 59:34

So meta fields you can say.
59:34 - 59:39

So those are host, source,
source type, and index.
59:39 - 59:41

And there are few
fields are there, which
59:41 - 59:42

is called internal fields.
59:42 - 59:45

And that is _time and _raw.
59:45 - 59:49

So those are by default
values discovered by Splunk.
59:49 - 59:52
59:52 - 59:55

So there are few
events are there where
59:55 - 59:57

the fields value is not there.
59:57 - 60:00

So it can be possible the
field doesn't have any values,
60:00 - 60:03

or it can have multiple values.
60:03 - 60:09

So how we can identify values.
60:09 - 60:14

So in certain scenarios, like
here, you can see it here.
60:14 - 60:19

It's a status, but it is--
60:19 - 60:26

we cannot identify for which
field it is assigned to.
60:26 - 60:31

So it is done on source
type, source type,
60:31 - 60:32

automatically discovered.
60:32 - 60:35

So let's say user has admin.
60:35 - 60:42

So also, it has a key value
pair defined itself in the log.
60:42 - 60:47

So I am searching for
that particular value
60:47 - 60:49

where you can have--
60:49 - 60:55

see here, you can see features
is equal to search script.
60:55 - 61:03

So this kind of values
can be there in the event.
61:03 - 61:09

So we talked about this
site field sidebar.
61:09 - 61:13

So field sidebar has selected
field and interesting field.
61:13 - 61:16

The selected field will
show under the event
61:16 - 61:23

when you can select or unselect
the field from the field window.
61:23 - 61:24

OK.
61:24 - 61:30

Also, you can select all
fields, where by default, it
61:30 - 61:33

coverage 1% or more.
61:33 - 61:36

You can select
anything you want,
61:36 - 61:42

or you can search any field
over here, whatever you want.
61:42 - 61:44

So these are interesting
in selected fields.
61:44 - 61:48
61:48 - 61:56

Also, we have talked about the
count, what signifies this.
61:56 - 62:00

So these are the unique
value against this field.
62:00 - 62:03

A means it has
alphanumerical values,
62:03 - 62:08

and hash means it has a number.
62:08 - 62:18

Also, we have talked about
selected field window, selected
62:18 - 62:19

field window.
62:19 - 62:25

So field window has a multiple
things, like field value name.
62:25 - 62:28

It's a value percentage.
62:28 - 62:32

It has some static
values as well.
62:32 - 62:35

Also, if you want to include it
in the event while searching,
62:35 - 62:39

you can directly kick
click, and it will say as--
62:39 - 62:42

if you click it,
component is equal to star
62:42 - 62:45

will come in the search.
62:45 - 62:47

Now, here it will
show top values.
62:47 - 62:51

If you want to include any
of the value in the search,
62:51 - 62:53

you just directly need
to click over here
62:53 - 62:58

and value will go
into the search.
62:58 - 63:02

So selected field,
we have already
63:02 - 63:06

talked about selected fields,
that selected field will
63:06 - 63:08

come under the event.
63:08 - 63:15

If I will select this field,
it will go under the event.
63:15 - 63:17

Like you can see component.
63:17 - 63:20

Here, there is no
value of component.
63:20 - 63:24

So when I have selected or no.
63:24 - 63:27

So here, you can say
component value is here.
63:27 - 63:31

So this is how it works.
63:31 - 63:37
63:37 - 63:43

So we already included means
how to search the value.
63:43 - 63:48

You just directly cannot
search it like this.
63:48 - 63:50

So it will search
in all the index.
63:50 - 63:56

Instead, you can search for
host is equal to, so it will--
63:56 - 63:58

the field is equal to
the value of that field,
63:58 - 64:04

so it will search in
that specific field.
64:04 - 64:05

OK.
64:05 - 64:15

Also, we need to consider
that whole field name is case
64:15 - 64:16

sensitive.
64:16 - 64:21

So if I give host, it
will not give any value.
64:21 - 64:29

And the field value
is case insensitive.
64:29 - 64:34

Field name is case sensitive and
field value is case insensitive.
64:34 - 64:35

OK.
64:35 - 64:39
64:39 - 64:44

Also, we can use a wildcard,
if I can use a wildcard in it.
64:44 - 64:48

So it's best practice to use
the wildcard at the end, not
64:48 - 64:51

the beginning OK.
64:51 - 65:01

You can use relational operator,
like equal to, not equal to it.
65:01 - 65:02

It will not apply with this.
65:02 - 65:05

It will apply always
with the number.
65:05 - 65:09

So better to use with number,
equal to, not equal to,
65:09 - 65:18

greater than, less than,
or not equal to Splunk.
65:18 - 65:22
65:22 - 65:26

So it will not show
any value actually.
65:26 - 65:31

So the difference between
not equal to this,
65:31 - 65:33

not equal to, or not.
65:33 - 65:35
65:35 - 65:40

So the difference
between this is
65:40 - 65:50

when you say not equal to, so it
will show the host value, which
65:50 - 65:55

does not have-- the event for
which the host value does not
65:55 - 65:57

match to Splunk.
65:57 - 66:03

When you click not,
when you say not,
66:03 - 66:08

it will give you the
field where the status
66:08 - 66:11

field exists, but with--
66:11 - 66:16

sorry, with the value,
which does not have Splunk.
66:16 - 66:21

And all the event where
the whole host field itself
66:21 - 66:22

is not there.
66:22 - 66:23

OK.
66:23 - 66:24

How about mode?
66:24 - 66:29

There are fast, smart, and
verbose mode are there.
66:29 - 66:34

So fast, it will always prefer
the speed over the completion.
66:34 - 66:38

The smart mode is combination
of fast and verbose mode.
66:38 - 66:44

Verbose mode always prefer the
completeness over the speed.
66:44 - 66:47
66:47 - 66:51

So this is all about this video.
66:51 - 66:55
66:55 - 67:00

And so this video is about
search best practices.
67:00 - 67:04

So how can we
improve our searches
67:04 - 67:08

to consider few points in mind.
67:08 - 67:13

So first point is the time.
67:13 - 67:19

So time is very efficient or
crucial filter in searches.
67:19 - 67:23

So it is recommended
that you should
67:23 - 67:27

specify lesser time for your
search when you are running.
67:27 - 67:30

You should not
specify a larger time.
67:30 - 67:33

It will take more
time to execute,
67:33 - 67:37

and it will take more resources.
67:37 - 67:41

I/O operation will be more,
so take a lesser time.
67:41 - 67:46

Like if you type
for all time and you
67:46 - 67:49

are searching for
some index, so it
67:49 - 67:55

will search for that
all time in your index.
67:55 - 67:59

So it is not recommended
for any of the search
67:59 - 68:02

to run for all time.
68:02 - 68:08

So in ad hoc search, you can
run, but in schedule search,
68:08 - 68:12

you should not run because
the searches can get skipped.
68:12 - 68:16

So in my this example,
I do not have much data
68:16 - 68:20

so it finished earlier.
68:20 - 68:22

It's finished very quickly.
68:22 - 68:26

So in actual
production environment,
68:26 - 68:29

you should not run
it for all time.
68:29 - 68:34

Generally, the admin will
disable this for all time
68:34 - 68:37

and they keep it
for lesser time.
68:37 - 68:43

That will not impact
the system performance.
68:43 - 68:45

Now, this is all about time.
68:45 - 68:50

So keep in mind that whenever
you are performing any searches
68:50 - 68:54

on the search head,
so keep a lesser time,
68:54 - 68:55

and, gradually, you
can increase it.
68:55 - 69:00

If you want to go beyond
your time, there is--
69:00 - 69:04

means beyond time,
as in you want
69:04 - 69:11

to search it for more than
30 days or more than 60 days.
69:11 - 69:14

So you can play around
with these options.
69:14 - 69:18

So you can create a bunch of
one month, every one month,
69:18 - 69:22

or every seven days,
and you can see
69:22 - 69:25

shift the window accordingly.
69:25 - 69:28
69:28 - 69:33

So also, there is
one more thing.
69:33 - 69:40

You should specify a one
or more index, like sorry.
69:40 - 69:41

It is internal.
69:41 - 69:47

So it is giving me the
value from both the index.
69:47 - 69:54

So you can mention one index,
or more than one index at
69:54 - 69:57

the beginning of
the search, and it--
69:57 - 70:02

you need to keep in
mind that the index--
70:02 - 70:06

the index field, always,
you need to give it
70:06 - 70:10

at the beginning of the search.
70:10 - 70:16

It is recommended that you
should give the index field
70:16 - 70:18

at the starting of the search.
70:18 - 70:28

So the next thing is include as
many search terms as possible.
70:28 - 70:34

Search term, as in, if you want
to search like for this term,
70:34 - 70:43

whole term info
LLM task manager.
70:43 - 70:49

So if you give simply this
one, let's see what happens.
70:49 - 70:56

Simply, this it will
include this and whatever
70:56 - 70:57

other parameters are there.
70:57 - 71:01

So it will give the
input for everything.
71:01 - 71:11

If you specify one more term, so
it will give this and also this.
71:11 - 71:14

This and this, both of them.
71:14 - 71:22

So it is like you are
creating your script
71:22 - 71:26

to the point, the search you
are creating to the point
71:26 - 71:32

that it searches only for
your data, not the other data.
71:32 - 71:36

So this one thing
you can keep in mind.
71:36 - 71:39

As many search term you can put.
71:39 - 71:43

Like you can put a specific
search term this as well.
71:43 - 71:44

So it will reduce--
71:44 - 71:48

it will reduce this
the amount, which
71:48 - 71:51

is fetching from the index.
71:51 - 71:52

OK.
71:52 - 71:55

So you can include that.
71:55 - 72:02

Also, the search term, you
need to make this specific
72:02 - 72:08

to your requirement that
what you want to do exactly.
72:08 - 72:16

So one thing you need
to consider in Splunk,
72:16 - 72:20

the inclusion is better
than the exclusion.
72:20 - 72:26

So inclusion, as in, if
you want to search for--
72:26 - 72:32
72:32 - 72:39

so, for example, if you want
to search not successful.
72:39 - 72:43
72:43 - 72:47

Not successful, you want to
search it, or successful login.
72:47 - 72:50
72:50 - 72:52

Not successful login,
currently there
72:52 - 72:58

won't be any incident
in any event in that.
72:58 - 73:02

But if you search
it, indirectly, this
73:02 - 73:03

is a failed login.
73:03 - 73:07

So when you search it, it
will search in entire index,
73:07 - 73:11

or it will search
for everything.
73:11 - 73:15

So if you search it, currently
there won't be anything.
73:15 - 73:18
73:18 - 73:26

Instead of that, remove
not and search for failed.
73:26 - 73:29

OK.
73:29 - 73:30

So this will help.
73:30 - 73:35

So failed login or failed
anything, you can consider.
73:35 - 73:43

So instead of exclusion,
use inclusion.
73:43 - 73:43

OK.
73:43 - 73:46
73:46 - 73:51

The next thing is filter
as early as possible.
73:51 - 73:54

So if you filter as
early as possible
73:54 - 73:58

and then apply some
statistics on that, then
73:58 - 74:02

bunch of the events, bunch
of event will be lesser.
74:02 - 74:06

Like say I will--
74:06 - 74:12

like say 6,494 events are there.
74:12 - 74:20

I will put some count stats.
74:20 - 74:24
74:24 - 74:26

Count.
74:26 - 74:28

OK.
74:28 - 74:33

So this statistics will
be applied on this.
74:33 - 74:36
74:36 - 74:41

So earlier you have seen,
our number was huge.
74:41 - 74:46

Now I will put get and
filter, and then you
74:46 - 74:48

can see the number has reduced.
74:48 - 74:53

So this is how you
can filter the events
74:53 - 74:56

and then apply the
statistics whatever you want.
74:56 - 75:02

Like, suppose you want some
condition through where,
75:02 - 75:09

and where ABC is
greater than some value.
75:09 - 75:17

So now here, you got a
subset of your entire event,
75:17 - 75:22

and then you have
applied the statistics.
75:22 - 75:29

So this will be a best practice,
that you filter it first.
75:29 - 75:33

If you apply-- suppose you
have already done statistics,
75:33 - 75:37

now you have
applied the entire--
75:37 - 75:41

applied the statistics on
entire events, and then
75:41 - 75:42

you have putting--
75:42 - 75:45

you are putting the conditions.
75:45 - 75:48

So this is inefficient,
you can say.
75:48 - 75:51
75:51 - 75:57

So obviously this will run,
but it will take much time
75:57 - 76:05

than the earlier condition that
you filter the event earlier as
76:05 - 76:06

possible.
76:06 - 76:08

OK?
76:08 - 76:14

The next thing is,
avoid using a wildcard
76:14 - 76:19

at the beginning or the
middle of the search term.
76:19 - 76:29

Like if you were to search for
"fail" so it can include "fail"
76:29 - 76:31

or something--
76:31 - 76:45

now if you include this, it
will search for entire index.
76:45 - 76:48

It will-- fetches the
data in the entire index
76:48 - 76:53

and then apply this filter.
76:53 - 76:54

OK?
76:54 - 76:58

In this condition, the
result will be huge
76:58 - 77:00

and it will impact the system.
77:00 - 77:04

Now, what happens when
you put it in between?
77:04 - 77:08
77:08 - 77:12

In between, that means that if--
77:12 - 77:17

suppose instead of "fail",
some spelling will be there,
77:17 - 77:28

like F-A-I-E-E-E-L, so that
event also will get fetched from
77:28 - 77:29

the index.
77:29 - 77:32

Or some other spellings
or something else,
77:32 - 77:35

it will get it over there.
77:35 - 77:38

So the best way is
apply the wildcard
77:38 - 77:41

at the end of the
search term, so this
77:41 - 77:44

will give a perfect
result for your search.
77:44 - 77:52

So here, what it does is it
fetches only the specific data
77:52 - 77:56

and apply the wildcard on that.
77:56 - 77:59
77:59 - 78:03

So the next thing
is, instead of using
78:03 - 78:07

wildcard for a specific field--
78:07 - 78:14

if you know the value of field,
then put or instead of wildcard.
78:14 - 78:17

Like, say here, if you put--
78:17 - 78:20
78:20 - 78:22

OK.
78:22 - 78:26

So this will give
some value, but I have
78:26 - 78:29

used this card underscore star.
78:29 - 78:34

But if you know the index name--
78:34 - 78:48

this is the index name and OR
If you have [INAUDIBLE] as well.
78:48 - 78:58

So this will be more efficient
than giving the underscore star.
78:58 - 79:00

OK?
79:00 - 79:03

This will give a valuable--
79:03 - 79:05

the correct information.
79:05 - 79:06

OK?
79:06 - 79:08
79:08 - 79:12

Then we can say the efficient
information to your search.
79:12 - 79:15
79:15 - 79:19

Working with the index, like
here in [INAUDIBLE] index,
79:19 - 79:24

what you can do is
provide an index name.
79:24 - 79:29

And then if you want
to search for fail,
79:29 - 79:33

you can search it for
fail or something else--
79:33 - 79:34

successful.
79:34 - 79:36
79:36 - 79:40

Successful-- if it is some
[INAUDIBLE] it will come.
79:40 - 79:43

Yes, successful
register or something.
79:43 - 79:46

So this is how you
can search on any--
79:46 - 79:51

You can search it
for source type.
79:51 - 79:57

So it's better you specify
as many field you know about.
79:57 - 80:02

If you know the source type,
also specify the source type,
80:02 - 80:06

and then you success.
80:06 - 80:10
80:10 - 80:11

Successful.
80:11 - 80:14
80:14 - 80:18

In similar fashion, you can
include as many a number
80:18 - 80:22

of fields that you want.
80:22 - 80:27

Now, again, as I have earlier
mentioned, with the index,
80:27 - 80:38

you can provide more than one
index with "or" like this,
80:38 - 80:43

and you can search for the
data and whatever field--
80:43 - 80:44

next field.
80:44 - 80:47

I am taking it from the field.
80:47 - 80:48

If you know the field
names and directly
80:48 - 80:55

you can put it over
there [INAUDIBLE].
80:55 - 80:56

OK?
80:56 - 81:00

So the first preference
will be inside the bracket,
81:00 - 81:05

and then it will execute this
one, so it will filter for this.
81:05 - 81:08

OK?
81:08 - 81:14

Also, you can use a
wildcard with the index.
81:14 - 81:16

But generally, it
is not recommended
81:16 - 81:20

to use a wildcard
with the index.
81:20 - 81:25
81:25 - 81:28

Does not recommend it to
use wildcard with the index.
81:28 - 81:34

Instead, at least a single
value should be there.
81:34 - 81:36

This is also valid--
81:36 - 81:36

failed.
81:36 - 81:39
81:39 - 81:40

OK.
81:40 - 81:42

This will give you value.
81:42 - 81:48

But instead of that, you
specify one or more indexes.
81:48 - 81:51

It is recommended.
81:51 - 81:52

You need at least--
81:52 - 81:54

there should be one index--
81:54 - 81:57

one or more index
should be there,
81:57 - 82:03

but it is better you mention
one index, not the star or not
82:03 - 82:06

the wildcard with
any of the field.
82:06 - 82:09

If you know the field name,
then specify the field name
82:09 - 82:12

or at least you use
initial of that field name
82:12 - 82:15

and then put a wildcard.
82:15 - 82:15

OK?
82:15 - 82:24

That will be the best
way to find the indexes.
82:24 - 82:30

This is the best way to make
your search more efficient.
82:30 - 82:33

OK?
82:33 - 82:37

Now, how can you find index?
82:37 - 82:40

How many index are there
in your environment?
82:40 - 82:42

So if you know
initial or anything
82:42 - 82:48

about index, so just [INAUDIBLE]
so that it will come.
82:48 - 82:52

So once you do this--
82:52 - 82:59

once you run this command,
there will be index field here.
82:59 - 83:04

So these many indexes are there,
which starts with underscore.
83:04 - 83:07
83:07 - 83:09

And any of them, if
you want to use--
83:09 - 83:12

audit, internal index--
any of the index
83:12 - 83:16

if you want to use in your
search, you can directly use it.
83:16 - 83:17

OK?
83:17 - 83:23

But at least you should
know initial or any word
83:23 - 83:30

about your index so you can
put it there, give a wildcard,
83:30 - 83:31

and use it.
83:31 - 83:33

OK?
83:33 - 83:38

Let's summarize what we
have learned until now.
83:38 - 83:42

So time is the most
efficient filter.
83:42 - 83:44
83:44 - 83:48

Specify one or more index
values at the beginning
83:48 - 83:50

of your search string.
83:50 - 83:55

So you need to specify
at the beginning of--
83:55 - 83:57

you need to specify
the index name
83:57 - 84:01

and include as many
search terms as possible.
84:01 - 84:03

So this is the next one.
84:03 - 84:09

Next is, make your search term
as specific as possible OK?
84:09 - 84:14

Inclusion is generally
better than exclusion.
84:14 - 84:17

The next one is, filter
as early as possible.
84:17 - 84:21

So as I explained, you
filter first and then apply
84:21 - 84:24

any of the statistics.
84:24 - 84:28

Avoid using wildcard at the
beginning or middle of a search.
84:28 - 84:35

So if you use it at the start
or beginning of any search term,
84:35 - 84:39

so it will process all the data.
84:39 - 84:41

First it will process
and give you the result.
84:41 - 84:43

If you provide in middle--
84:43 - 84:50

in between of a string, so
it can give a wrong value.
84:50 - 84:53

If you use at the start--
84:53 - 84:57

at the end of the search term,
so it will give you a better
84:57 - 85:02

result. When possible, use
"or" instead of wildcard.
85:02 - 85:04

OK?
85:04 - 85:10

So working with indexes,
you can work with any index,
85:10 - 85:14

like you just provide
index equal to index name
85:14 - 85:18

and then search term so
that will be very efficient.
85:18 - 85:23

You can use more than one
indexes through "or" and then
85:23 - 85:26

provide your next field.
85:26 - 85:31

In brackets, the
precedence will be
85:31 - 85:36

higher, so first execute
that, and then next,
85:36 - 85:41

it will execute the next search.
85:41 - 85:48

Then, how can you find
the index from the data?
85:48 - 85:51

You can use a wildcard.
85:51 - 86:01

You need to know at least
alphabet from your index.
86:01 - 86:06

So I'll put a star
underscore star,
86:06 - 86:15

and this is how you can get the
index name from the index field.
86:15 - 86:20

The index field is always
within the [INAUDIBLE] field.
86:20 - 86:23

If you want, you can want to
make it selected field as well.
86:23 - 86:25

It will go up in
the selected field.
86:25 - 86:28

So that's it about
the video, and thank--
86:28 - 86:32
86:32 - 86:37

So this video is about
Splunk's search language.
86:37 - 86:42

So we will start with
search language syntax,
86:42 - 86:46

so how the search language
language syntax works.
86:46 - 86:54

So this is full search I have
written in the search bar.
86:54 - 86:57

So this first part
will be your search--
86:57 - 87:00

any search the index you--
what you want to give,
87:00 - 87:02

where the data is
and the data source--
87:02 - 87:03

the category of that data.
87:03 - 87:06

Or any other string
if you want to put,
87:06 - 87:12

so you can give it as a
basic search based search.
87:12 - 87:15

And after that, you put a pipe.
87:15 - 87:18

So the output of
this search will
87:18 - 87:24

act as an input of the search,
which is after the pipe.
87:24 - 87:26

So this is called
a "pipe operator".
87:26 - 87:29

In any other language,
also in shell-scripting,
87:29 - 87:31

also we use pipe.
87:31 - 87:35

So in similar fashion,
pipe works here.
87:35 - 87:38

It acts as a filtering or--
87:38 - 87:40
87:40 - 87:45

the output of this search
will act as an input for this,
87:45 - 87:48

so simply, you
can consider that.
87:48 - 87:53

So after that, if
you see, this stats,
87:53 - 87:56

this is called as command.
87:56 - 88:00

So in Splunk, there
are multiple commands
88:00 - 88:03

are there, so this is
a statistics command.
88:03 - 88:05

This is not the
only one command.
88:05 - 88:07

There are multiple commands.
88:07 - 88:16

So this part is called a
command, and the next one is--
88:16 - 88:17

this is called a function.
88:17 - 88:20

So with stats, there
are many functions,
88:20 - 88:24

like min, max,
average, count, sum.
88:24 - 88:27

So I'm using here, "max".
88:27 - 88:28

OK?
88:28 - 88:33

And the next one is the
argument of that function.
88:33 - 88:36

So whatever argument,
one function
88:36 - 88:39

can have multiple arguments
or single arguments.
88:39 - 88:43

So here, it is a
single argument so I
88:43 - 88:45

have given-- this is
argument is nothing,
88:45 - 88:49

but it should be a
field from your event.
88:49 - 88:50

OK?
88:50 - 88:53

So this will be the
field from your event.
88:53 - 89:02
89:02 - 89:07

Generally, if you run
this command without this,
89:07 - 89:11

it will create a
field itself as "max."
89:11 - 89:15

You can see it here-- "max",
bracket, and then this field.
89:15 - 89:18

So you need to
rename this field.
89:18 - 89:21
89:21 - 89:26

You can rename this
field, call this max_avg.
89:26 - 89:31

So if I run this
command now, after this,
89:31 - 89:36

it will show you the rename.
89:36 - 89:43

It removed the "max," and it
is showing the new field over
89:43 - 89:43

there.
89:43 - 89:48

So it will be the new
name of that field.
89:48 - 89:57

So this part here, it
is called as a clause.
89:57 - 90:05

So it can be by something or as,
so this is called as a clause.
90:05 - 90:09

So the next one
is-- again, here,
90:09 - 90:13

you can see a pipeline
pipe over here,
90:13 - 90:17

so output of this
whole search will
90:17 - 90:23

act as the input for
the upcoming search.
90:23 - 90:28

So again, this is
called as function,
90:28 - 90:31

and this is the
variable-- new variable
90:31 - 90:34

we are creating through eval.
90:34 - 90:38

You can see it assignment,
the output of this
90:38 - 90:45

will assign it into
this variable OK?
90:45 - 90:47

Now, next one is--
90:47 - 90:51

this is Splunk pre-built
function, like max,
90:51 - 90:57

to convert a string-- to convert
a numerical value into a string.
90:57 - 91:03

So that, you can add one more
string or two because you cannot
91:03 - 91:08

not add a numerical
value with the string.
91:08 - 91:13

So you can see, if I run
this command, it will show.
91:13 - 91:17
91:17 - 91:19

this much bytes.
91:19 - 91:21

This is showing us
this much bytes.
91:21 - 91:25
91:25 - 91:27

In this function,
this is a function--
91:27 - 91:29

there are multiple
arguments are here.
91:29 - 91:31

Here, you saw that there
is single argument,
91:31 - 91:36

multiple argument
where to a string
91:36 - 91:40

there are multiple assignments
are there, commas, or duration,
91:40 - 91:41

and hexa.
91:41 - 91:44

So this is about it.
91:44 - 91:47

So you can go
through Splunk docs
91:47 - 91:53

and check what are commands
or functions are there.
91:53 - 91:56
91:56 - 92:01

So this is basics about
syntax of a Splunk search
92:01 - 92:05

so you can make your
complex searches
92:05 - 92:07

as well, whatever you want.
92:07 - 92:11

For the beginners,
it's a good point.
92:11 - 92:16

You can go one by one and
create your own searches.
92:16 - 92:19

Also, I have covered,
in previous video,
92:19 - 92:22

the basics about fields
search best practice.
92:22 - 92:25

So I am requesting you
guys, before starting
92:25 - 92:28

this complex query,
just go through that
92:28 - 92:33

and have a basic understanding
of Splunk terminologies.
92:33 - 92:35

What is a Splunk, about
the Splunk fields,
92:35 - 92:37

and best practice of searches.
92:37 - 92:42

So let's move to the
next topic in this video.
92:42 - 92:51

So there are a few basic
components of search syntax.
92:51 - 92:54

First one is a search term.
92:54 - 92:58

Second, commands, functions,
arguments, and clauses.
92:58 - 92:58

OK?
92:58 - 93:03

These are main syntax
components are there.
93:03 - 93:07

Search term actually,
what are you looking for?
93:07 - 93:13

It's exact keyword
phrases, or booleans,
93:13 - 93:16

or ATC, or number, or anything.
93:16 - 93:21

Whatever you know about your
data, just type it after.
93:21 - 93:25

It's best practice to give
index and source type or as many
93:25 - 93:26

as fields--
93:26 - 93:34

fields and value you give,
that will be helpful for your--
93:34 - 93:35

with respect to the performance.
93:35 - 93:40

So go and check about--
93:40 - 93:43

from the admin, if you have
ingested the data through admin
93:43 - 93:47

in your production environment
or you are doing POCs.
93:47 - 93:53

So first of all, check
your index and/or
93:53 - 93:58

whatever field you know about
it-- source type, source, host.
93:58 - 94:03

So that will help you to
reduce the performance.
94:03 - 94:07

Now, as I mentioned,
the search term
94:07 - 94:09

can be a keyword,
phrases, Boolean,
94:09 - 94:12

or many other things--
number or anything,
94:12 - 94:14

you can put it over
here before this.
94:14 - 94:17
94:17 - 94:21

The next one is commands.
94:21 - 94:25

So commands is, what do you
want to do with the results?
94:25 - 94:40

So once you have this search,
and let's say I have searched it
94:40 - 94:44

and you got some result.
94:44 - 94:48

So you got some result after
running this search, so here
94:48 - 94:51

are several things are there.
94:51 - 94:54

You can see fields and events.
94:54 - 94:58

So what exactly you want
to do with this data?
94:58 - 95:01

So Command will
help you understand
95:01 - 95:07

the trend or behavior, or
exactly the statistics of it.
95:07 - 95:10

So Command will help
you to create a chart,
95:10 - 95:15

compute the statistics, and
evaluate and format your data.
95:15 - 95:21

So see here, this
is [INAUDIBLE].
95:21 - 95:24

This is not much
understandable data.
95:24 - 95:30

So say I want to take a average,
any field, and get a max of it.
95:30 - 95:33

So this, I will
get the max of it.
95:33 - 95:36
95:36 - 95:43

So this is a bit meaningful
in terms of data.
95:43 - 95:48

Now, after that, the functions.
95:48 - 95:53

How do you want to chart,
compute, or evaluate the result?
95:53 - 95:54

Now, after this, you can use--
95:54 - 95:57
95:57 - 95:59

after stats, like max.
95:59 - 96:05

Whether you want to do max,
min, minimum, or some--
96:05 - 96:09

get a average,
transform the values.
96:09 - 96:12

Like, here we have
transformed the values.
96:12 - 96:19

Say I want some
string attached to it.
96:19 - 96:20

What is it exactly?
96:20 - 96:22

It is byte, megabyte,
or something else,
96:22 - 96:28

so I have written
this code to include
96:28 - 96:33

a byte after these values.
96:33 - 96:34

OK?
96:34 - 96:38

So these kind of
things, you need
96:38 - 96:40

to first make your
mind what exactly you
96:40 - 96:43

want to achieve from your data,
what exactly the output should
96:43 - 96:45

be so you can do that.
96:45 - 96:48

Now, next will be
the arguments--
96:48 - 96:51

the function of the argument.
96:51 - 96:55

This is one of the
component of search syntax.
96:55 - 96:57

So this is called
as an argument.
96:57 - 97:02

A function can have one
or multiple arguments,
97:02 - 97:05

so this can be a
calculate average value
97:05 - 97:11

for a specific field-- convert
a millisecond to a second.
97:11 - 97:15

So here, you can--
97:15 - 97:19

I can put over here
here as it's a byte,
97:19 - 97:26

in byte, you can apply a formula
to convert it into megabyte,
97:26 - 97:28

[INAUDIBLE], or anything else.
97:28 - 97:34

So this will help you to make
a meaningful information out
97:34 - 97:35

of your data.
97:35 - 97:39

So next component
will be clause.
97:39 - 97:43

The clause, how do you
want to configure or rename
97:43 - 97:48

the fields in the results?
97:48 - 97:51

So here, how you--
97:51 - 97:55

so if you want to give a name--
97:55 - 97:59

another name of your field
so you can use as over here
97:59 - 98:01

or rename--
98:01 - 98:08

also, you can-- that we'll
cover in our next video.
98:08 - 98:10

Or if you want to
group by, so you
98:10 - 98:13

can put it over
here-- by as well.
98:13 - 98:18

So this will come under clauses.
98:18 - 98:23

So this is all about the
components of Splunk search
98:23 - 98:25

syntax.
98:25 - 98:29

Now let's talk about
search pipeline.
98:29 - 98:34

So as we know, the data
is stored on the disk--
98:34 - 98:36

on the index-- particular index.
98:36 - 98:41

So this is a index where
the data is stored,
98:41 - 98:43

and data is stored
in the flat files.
98:43 - 98:48

So you need to keep in
mind the data is not
98:48 - 98:55

in any of the database, like,
say DBMS, like Oracle, or SQL.
98:55 - 98:57

So it can be one of
the interview question
98:57 - 99:04

that they can ask it what
database Splunk uses.
99:04 - 99:08

So Splunk uses flat
file to store the data.
99:08 - 99:08

OK?
99:08 - 99:11

Just keep in mind for
the interview purpose.
99:11 - 99:15

So let's back-- let's come
back to our main topic,
99:15 - 99:18

like search pipeline.
99:18 - 99:24

So this data-- this index
reside on the indexer,
99:24 - 99:28

and the actual data
is on the disk.
99:28 - 99:32

So now, when you
run this command--
99:32 - 99:36

so after running this
command, the data from here,
99:36 - 99:43

one intermediate interface
will come in between after--
99:43 - 99:46

this will get phased
into the search.
99:46 - 99:51

If you go to component
of it, whenever
99:51 - 99:53

the user run the search,
it fetches the data
99:53 - 99:54

from the indexer.
99:54 - 99:56

It pulls the data
from the indexer
99:56 - 99:58

where the data is stored.
99:58 - 100:02

So this is one of the
intermediate repository
100:02 - 100:06

where the data comes in
from the entire index.
100:06 - 100:10

We have chosen from
this index, get the data
100:10 - 100:17

for this particular source
type, and now create
100:17 - 100:23

a intermediate table for that.
100:23 - 100:29

Now this top command will
create an intermediate table.
100:29 - 100:32

First, we get the
intermediate events,
100:32 - 100:35

filtered the event from
the data and pulled it out
100:35 - 100:38

from on the search head.
100:38 - 100:42

Now, from there, we have created
an intermediate table where
100:42 - 100:48

it gives us the top 10 sources.
100:48 - 100:52

So it can be any field,
whichever you want--
100:52 - 100:53

so any field.
100:53 - 100:58

Here, only five fields
are there and five sources
100:58 - 101:01

are there in my index
because I have recently
101:01 - 101:03

installed this instance.
101:03 - 101:06

There won't be much
data over here.
101:06 - 101:11

So you can see it over
here, only five top 10
101:11 - 101:14

and through the top.
101:14 - 101:16

There are only 10--
101:16 - 101:20

by default, 10 records will be
fetched, so it will store this.
101:20 - 101:24

So this is called a
intermediate table.
101:24 - 101:26

Now, first table is this.
101:26 - 101:29

Another intermediate
table is this.
101:29 - 101:32

And again, if you want
to filter further and get
101:32 - 101:41

the exact result, so I
will give field percent.
101:41 - 101:47

So now this is the exact
field, exact table,
101:47 - 101:52

or exact data which you want
to come in front of user.
101:52 - 101:59

So from the biggest superset,
we have divided into subset,
101:59 - 102:04

and again, filtered down
to your interesting fields
102:04 - 102:06

or interesting data.
102:06 - 102:08

So this is--
102:08 - 102:13

I tried to explain about
the search pipeline.
102:13 - 102:15

So if you have written
any complex query,
102:15 - 102:19

so to make that complex
query more readable,
102:19 - 102:26

you can turn this
pipe into each line--
102:26 - 102:29

each next line just by typing.
102:29 - 102:36

Just you put Shift and Enter,
so this will give you--
102:36 - 102:42

This will go to next
string and next line,
102:42 - 102:47

and it looks more readable.
102:47 - 102:52

So there is auto--
102:52 - 103:00

automatic settings is there
so you have to go to user.
103:00 - 103:00

This is admin.
103:00 - 103:05

So in your case, it will be
any user name or something.
103:05 - 103:08

Go to Preference.
103:08 - 103:11

Go to SQL Editor.
103:11 - 103:19

From SQL Editor, there will
be a search auto-format.
103:19 - 103:21

So you need to click over here.
103:21 - 103:22

Click OK.
103:22 - 103:29

So whenever you write a pipe,
it will go to next line.
103:29 - 103:32

You can see it will
go to next line.
103:32 - 103:37

How many pipes you want to
use, it will go to next line.
103:37 - 103:45

If you want to add line, so
you can add line over here.
103:45 - 103:51

Go to this and select
it, it will add lines
103:51 - 103:54

as well-- line numbers, sorry.
103:54 - 103:57

It will add a line
number to your search.
103:57 - 104:05
104:05 - 104:09

Let's go to this
coloring options,
104:09 - 104:14

what exactly the coloring
means in this search.
104:14 - 104:20

So coloring option means blue.
104:20 - 104:24

It means these are the commands.
104:24 - 104:26

So blue comes in commands.
104:26 - 104:29

So also, keep in mind
this question can
104:29 - 104:33

come in fundamental I exams.
104:33 - 104:38

So also, if anybody
in the interview
104:38 - 104:43

want to test whether you have
word on [INAUDIBLE] or not,
104:43 - 104:45

they can ask about this.
104:45 - 104:49

So this will--
104:49 - 104:54

The command come in
blue, and the functions--
104:54 - 105:01

you can see the color of
functions is a purple.
105:01 - 105:03

OK?
105:03 - 105:04

This will come as a purple.
105:04 - 105:09

And if you have any
argument coming with the--
105:09 - 105:15

coming with your command--
105:15 - 105:19

like, say there is a-- one of
the command called "time chart."
105:19 - 105:25
105:25 - 105:35

It has a argument like "span
is equal to" [INAUDIBLE],
105:35 - 105:37

so this comes as a green.
105:37 - 105:41

And please do not get
confused with this argument
105:41 - 105:45

to the argument, which is
going into the function.
105:45 - 105:49

So this is command
arguments, and these
105:49 - 105:51

are the functions of argument.
105:51 - 105:55

So please bear in mind.
105:55 - 105:55

OK.
105:55 - 105:57

The next one is clause.
105:57 - 106:00
106:00 - 106:03

The color of clauses
will be orange.
106:03 - 106:04

You can see it here.
106:04 - 106:10

If I put "by" as well, it will
come "by", so it will come
106:10 - 106:14

as a orange.
106:14 - 106:14

OK.
106:14 - 106:19

So these are by default
colors comes in Splunk.
106:19 - 106:24

The rest of them,
it comes as a black.
106:24 - 106:30

So the argument, or function
argument, index name,
106:30 - 106:35

index value, key value pair, or
any search term, any keyword--
106:35 - 106:41

"fail", "failed", internal.
106:41 - 106:47

If you want to put this,
so this will also--
106:47 - 106:51

also, this if you
given under the double
106:51 - 106:58

quotes some value
equal to zero, so this
106:58 - 107:00

won't consider as
a field value pair
107:00 - 107:03

as it is there on
the double quotes.
107:03 - 107:06

So this will treat as string.
107:06 - 107:11

So please bear in mind.
107:11 - 107:16

Also, if you want to turn
off your coloring option,
107:16 - 107:21

so you can go to your
user preferences,
107:21 - 107:24

go to Splunk editor.
107:24 - 107:27

And here, if you
go to-- in General,
107:27 - 107:34

you can have a search assistant
where it will show you--
107:34 - 107:38

after each command,
it will show you
107:38 - 107:43

how that particular command
work or how can you use it.
107:43 - 107:46

I'll show you
after this example.
107:46 - 107:51

So in Themes, you
can go and change
107:51 - 107:53

the-- currently,
it's light theme,
107:53 - 107:56

so by default setting is this.
107:56 - 107:58

If you want to do
black and white,
107:58 - 108:02

so it will give everything
has a black and white.
108:02 - 108:07

So no coloring
option will be there.
108:07 - 108:11

So this is, by
default, a light theme.
108:11 - 108:15

So keep in mind,
this is by default.
108:15 - 108:18

And if you want to put a dark
one, you can put the dark.
108:18 - 108:25

But the color-- by default
colors will be same as it is.
108:25 - 108:27

OK?
108:27 - 108:34

So if I click OK, it will
convert into the dark theme.
108:34 - 108:39

Now, I was talking about
the search assistant.
108:39 - 108:44

So this is called
assistant where
108:44 - 108:48

Splunk provide you some
assistance on the Field
108:48 - 108:53

Name, field when you
are typing over here.
108:53 - 108:55

So you can use any of
the-- it will assist you,
108:55 - 108:57

how can you use it.
108:57 - 109:07

And by default, the
compact mode is enabled.
109:07 - 109:11

You can keep it None or Full.
109:11 - 109:14

Full, it will show
more detail over here.
109:14 - 109:20

See, you can see it
more details with--
109:20 - 109:21

OK with the examples?
109:21 - 109:26
109:26 - 109:30

So let's talk about
the table command.
109:30 - 109:33

So table command, as we
know from the name, it is--
109:33 - 109:36
109:36 - 109:40

as the name suggests, it
will provide you the events
109:40 - 109:42

in the form of table.
109:42 - 109:45

So Table Command
return a table format
109:45 - 109:49

by only field in
the argument list.
109:49 - 109:51

Field in the argument list.
109:51 - 109:57

So columns are displayed in
the order given in the command.
109:57 - 110:01

So whatever, as
I mentioned here,
110:01 - 110:04

the first column will be source.
110:04 - 110:07

Second is source
type, host, and time.
110:07 - 110:10

So let's say if I
run it over here,
110:10 - 110:17

it will give you, first, source,
source type, host, and time.
110:17 - 110:19

OK?
110:19 - 110:23

So column has header.
110:23 - 110:24

Header is nothing
but the field--
110:24 - 110:25

this field.
110:25 - 110:27

The header has its own--
110:27 - 110:32

this is header, and
these are the fields.
110:32 - 110:41

And each row-- each row
represent a event in the table.
110:41 - 110:44

So event in the
index, you can say.
110:44 - 110:44

OK?
110:44 - 110:46

This represents event.
110:46 - 110:52

Each row contains field
value for that event.
110:52 - 110:57

So field value for that event.
110:57 - 111:00

So for this event,
the source value
111:00 - 111:07

will be this for this
particular source type is this.
111:07 - 111:10

For this whole event,
the host is this,
111:10 - 111:13

and the time of
this event is this.
111:13 - 111:17

You can put as many as--
111:17 - 111:19

fields over here.
111:19 - 111:20

OK?
111:20 - 111:26

Whatever fields are there in
your mind to create a table
111:26 - 111:30

or create your output
in tabular format
111:30 - 111:34

so you can do it with that.
111:34 - 111:37

So the next one
is rename command.
111:37 - 111:41

So through rename
command, you can change
111:41 - 111:43

a name of any of the field.
111:43 - 111:48

Like, if you do not have any
meaningful name in your field,
111:48 - 111:54

so you can change the
name of that field.
111:54 - 112:01

So in this, we can see the name.
112:01 - 112:05

So this is what
exactly the name is.
112:05 - 112:13

So I'm not convinced this
name-- that what exactly
112:13 - 112:16

the name, so I can give
the name to this field,
112:16 - 112:23

like an application
name or event name.
112:23 - 112:36

So I can write simple,
"rename name as AppName"
112:36 - 112:48

and "table AppName _time".
112:48 - 113:01
113:01 - 113:03

Maybe it takes some
time to display.
113:03 - 113:09

So when I run it again, it is
giving the name of the fields,
113:09 - 113:11

like you can see here.
113:11 - 113:12

So instead of that--
113:12 - 113:16
113:16 - 113:18

instead of this, I
can use this command.
113:18 - 113:22

If, let's say, these
are the application--
113:22 - 113:26

if you do not have space
in between in the name,
113:26 - 113:29

so you can write
without double quotes.
113:29 - 113:34

Like, if you want to put
application name like this,
113:34 - 113:37

so you cannot write like this.
113:37 - 113:42

You need to put it
in the double quotes.
113:42 - 113:49

And same thing, you need to use
it over here while displaying.
113:49 - 113:53
113:53 - 113:56

So you can see it over here.
113:56 - 113:57

OK?
113:57 - 114:03

So keep in mind that
if you are using--
114:03 - 114:07

you are renaming a
field with the name
114:07 - 114:11

where the name consists
of space, so put it
114:11 - 114:13

in double quotes.
114:13 - 114:14

OK?
114:14 - 114:18
114:18 - 114:20

So one more important thing--
114:20 - 114:25

whenever you change any field
with the rename command,
114:25 - 114:29

so you're changing the
name of that field itself.
114:29 - 114:31

So the original
field will not be
114:31 - 114:37

accessible after
renaming this field--
114:37 - 114:39

after using the rename command.
114:39 - 114:44

So if I use the
original name, it
114:44 - 114:46

won't show any
value because there
114:46 - 114:51

is no such field called name.
114:51 - 114:58

Let's have a look in the event,
whether we see that name.
114:58 - 115:01

No, there is no
field called as name.
115:01 - 115:07
115:07 - 115:08

No.
115:08 - 115:13

We have our rename command
and some other name.
115:13 - 115:14

OK?
115:14 - 115:23

So please keep in mind that
once you rename this command,
115:23 - 115:28

this question may ask
in an interview as well.
115:28 - 115:34

So if you change any
particular field--
115:34 - 115:39

so the field name
itself will get changed,
115:39 - 115:42

you cannot access with
its original name.
115:42 - 115:44

OK?
115:44 - 115:46

So the next command is field.
115:46 - 115:55

So whenever you ingest a data,
on the basis of key value pair,
115:55 - 116:00

Splunk automatically
assign a value
116:00 - 116:03

to the fields, or field
names, on the basis of header
116:03 - 116:10

if it has a CSV file, or
it make on its own logic
116:10 - 116:14

to make a key and its value.
116:14 - 116:20

If you have created a field
extraction kind of thing so
116:20 - 116:23

that is advanced kind of part.
116:23 - 116:28

And the field extraction
will take a lot of time,
116:28 - 116:32

or performance of indexer
and searches, had both.
116:32 - 116:35

So if it's index
time extraction,
116:35 - 116:38

so it will consume
indexer resources.
116:38 - 116:41

If it's search time, it
consume search time--
116:41 - 116:43

search had resources.
116:43 - 116:48

So there is a command called
"field" where, through "field",
116:48 - 116:49

you can--
116:49 - 116:53

after, you can subset your data.
116:53 - 116:57

Like, you want to perform a
action on that particular field
116:57 - 116:58

only.
116:58 - 117:05

So you can include or exclude
the fields from your event
117:05 - 117:07

once it comes to a search head.
117:07 - 117:10

So it's not we are deleting
anything from the index
117:10 - 117:13

or removing anything
or any value or such.
117:13 - 117:19

Just we are subsetting our data
to our interesting fields--
117:19 - 117:23

interesting data.
117:23 - 117:28

And also, it will improve your
search performance that from--
117:28 - 117:34

we are not performing any
action on whole index.
117:34 - 117:38

Instead, we are filtering out
on the basis of these fields
117:38 - 117:44

and performing the action on
that selected field-- filtered
117:44 - 117:45

field.
117:45 - 117:50

So we can have one of the
example in front of you.
117:50 - 117:56

Like, say if you run
this command, so--
117:56 - 117:59

and one more I will
run without field.
117:59 - 118:02

So this I am running
without field.
118:02 - 118:07

Let's see how much time both
of the search will take.
118:07 - 118:12

So this I'm taking
without field option.
118:12 - 118:18

So without field option,
it took 0.791 seconds--
118:18 - 118:22

0.791 seconds.
118:22 - 118:27

Now, with field, let's see
how much time it takes.
118:27 - 118:32

It took 0.381 second.
118:32 - 118:40

So you can see the significant
difference in the performance.
118:40 - 118:43

So the event-- number
of events are same,
118:43 - 118:44

processed event are same.
118:44 - 118:49

Just we have filtered
through field command,
118:49 - 118:53

that we are telling Splunk
that I want to apply--
118:53 - 118:57

after this, I want to
use only this field
118:57 - 119:00

to perform tabular operation.
119:00 - 119:01

OK?
119:01 - 119:04

So there are
multiple things in--
119:04 - 119:10

not multiple, we can say
two things in a field,
119:10 - 119:12

like true plus operator.
119:12 - 119:17

By default, it's inclusion-only.
119:17 - 119:21

You can include or can
use plus so it will
119:21 - 119:23

apply to all of the fields.
119:23 - 119:29

Or if you want to remove it,
you want to use negative sign.
119:29 - 119:39

So in one of the example,
we have used a field minus,
119:39 - 119:41

I can use it directly
here-- "top".
119:41 - 119:46
119:46 - 120:00

"top source" and F-I-E-L-D
is "fields - percent".
120:00 - 120:04
120:04 - 120:08

So here, it will show
you percent command.
120:08 - 120:13

If I don't want percent,
so I can use this command
120:13 - 120:15

to remove percent field.
120:15 - 120:21
120:21 - 120:23

So see this field
will get removed.
120:23 - 120:27

So this will reduce the
overhead of your search.
120:27 - 120:30

Also, this is improved.
120:30 - 120:35

Your performance search query
performance, it will increase.
120:35 - 120:39

So two topics are
remaining for this video.
120:39 - 120:41

One is-- I'm using one of--
120:41 - 120:44

I'm explaining one more
command called dedupe,
120:44 - 120:46

and next one is sort.
120:46 - 120:50

So dedupe, as name
suggested, that dedupe
120:50 - 120:56

means removing the duplicate
field from the data.
120:56 - 121:01

If you want a unique
field in your data,
121:01 - 121:03

so you can use a dedupe command.
121:03 - 121:07

So for that, how can you
use a dedupe command?
121:07 - 121:18

So you just write "dedupe"
as you want to pronounce.
121:18 - 121:24

So I use "dedupe".
121:24 - 121:28

So I want to get
a unique source--
121:28 - 121:39

unique sources and type
"source" and get the source--
121:39 - 121:45

"sourcetype host".
121:45 - 121:50

So it will provide you
a unique source type.
121:50 - 121:52
121:52 - 121:54

Sorry, on the basis
of uniqueness--
121:54 - 121:56

will be on the basis of source.
121:56 - 121:58

So this will be unique.
121:58 - 122:01

This can be duplicate.
122:01 - 122:01

OK?
122:01 - 122:04

You can see these
are the duplicate.
122:04 - 122:09

Now, if you want to dedupe
on the basis of more
122:09 - 122:12

than one field, so you
can do that as well.
122:12 - 122:13

"sourcetype".
122:13 - 122:17
122:17 - 122:22

So you can consider
this as a key value pair
122:22 - 122:25

and that these should be unique.
122:25 - 122:25

OK?
122:25 - 122:30

You can see, if I
remove it, probably you
122:30 - 122:34

can see the difference
after removing it.
122:34 - 122:36

It may include multiple things.
122:36 - 122:38

Let's see.
122:38 - 122:42

Metrics, it has
multiple entries.
122:42 - 122:50

Now, if I want duplicate on
the basis of these two fields,
122:50 - 122:54

so you can do that as well.
122:54 - 122:58

And this will be on
alphanumerical order.
122:58 - 123:03
123:03 - 123:08

So the next command will be--
the next and last command will
123:08 - 123:16

be "sort command" that you can
order your data in particular--
123:16 - 123:19

display your data
in particular order.
123:19 - 123:22

It can be a descending
or ascending order.
123:22 - 123:24

By default, it's ascending.
123:24 - 123:27

And if you want to
make it descending,
123:27 - 123:32

so you need to use sort
hyphen minus to sort.
123:32 - 123:35
123:35 - 123:40

You can see, I want to sort.
123:40 - 123:45

If you write only
"sort" in field name,
123:45 - 123:48

[INAUDIBLE] the basis
of time [INAUDIBLE].
123:48 - 123:54

So on the basis of time,
it will sort it out.
123:54 - 123:58

And before that, I should
[INAUDIBLE] dedupe--
123:58 - 124:01
124:01 - 124:03

dedupe or dedup.
124:03 - 124:07
124:07 - 124:11

And so S-O-U-R-C-E, sorce.
124:11 - 124:14
124:14 - 124:17

Also, I will include
because [INAUDIBLE]
124:17 - 124:19

because we are
sorting, so you can
124:19 - 124:21

understand how it is working.
124:21 - 124:24
124:24 - 124:25

OK?
124:25 - 124:27

This will be in the
descending order.
124:27 - 124:29
124:29 - 124:32

And if you want to make
it in ascending order,
124:32 - 124:35

so just what you want to--
124:35 - 124:38

what you need to do is
just put a plus over here
124:38 - 124:42

so this will change.
124:42 - 124:53
124:53 - 124:54

No, it is not changing.
124:54 - 124:58
124:58 - 124:58

OK.
124:58 - 125:04
125:04 - 125:05

So I can just go time.
125:05 - 125:15
125:15 - 125:16

OK.
125:16 - 125:19

By default, it is changing.
125:19 - 125:23

So by default, it is
plus or without that.
125:23 - 125:26

Like this or this.
125:26 - 125:27

Both are similar.
125:27 - 125:31

If you want to put it
in descending order,
125:31 - 125:33

so you need to
use minus command.
125:33 - 125:37
125:37 - 125:42

So descending order, the
biggest is first and then--
125:42 - 125:43

OK?
125:43 - 125:49

Similarly, you can
use source as well.
125:49 - 125:56

If you want to use
source, so this
125:56 - 126:01

will be on the basis of
alphanumerical order.
126:01 - 126:03

So if you want to put more
than one in a byte space,
126:03 - 126:05

you can put more than one.
126:05 - 126:11

So space and comma so it
will consider more than one.
126:11 - 126:14

One more thing-- if you
are putting plus or minus,
126:14 - 126:21

so you need to put space in
between if you want to apply
126:21 - 126:28

the sort or order for
both of the string--
126:28 - 126:32

both of the fields
if you want to apply.
126:32 - 126:40

If you put "only" this, so it
will consider only for the first
126:40 - 126:42

value-- first field.
126:42 - 126:45

It won't consider
the second one.
126:45 - 126:45

OK?
126:45 - 126:53

So it will sort on the basis
of source, not the time.
126:53 - 126:55

If you put a space, it will
sort on the basis of time
126:55 - 126:57

as well as--
126:57 - 126:59

source as well as time.
126:59 - 127:04

So please keep in mind that
if you put a space in between,
127:04 - 127:06

the both will be included.
127:06 - 127:09

If you don't put,
only first field
127:09 - 127:13

will be included in
this sorting criteria.
127:13 - 127:15

OK?
127:15 - 127:24

Also, you can limit
the number of events
127:24 - 127:26

you want to display over here.
127:26 - 127:30

So with sort, I'm using
five or limit five.
127:30 - 127:30

Limit.
127:30 - 127:35
127:35 - 127:36

Limit equal to 3.
127:36 - 127:37

OK?
127:37 - 127:37

See?
127:37 - 127:42
127:42 - 127:44

No?
127:44 - 127:48

Yeah, it is showing
"only limit equal to 3."
127:48 - 127:52

You can use it
like this as well.
127:52 - 127:53

Zero.
127:53 - 127:57

So you can use it--
127:57 - 128:00

the limit function over here.
128:00 - 128:03

So there is a
real-life scenario--
128:03 - 128:09

real-life problem came in
our system is, how can you--
128:09 - 128:12

means by default-- in some
of the version by default,
128:12 - 128:16

you can display 10,000
record over here--
128:16 - 128:20

10,000 or 1,000
record over here.
128:20 - 128:26

So to overcome that problem,
just put with sort, just put 0.
128:26 - 128:28

So it will include
all the records which
128:28 - 128:33

you are fetching from the data.
128:33 - 128:38

But though it is not a good
practice to fetch all the data,
128:38 - 128:41

so you need to filter
as much as possible
128:41 - 128:48

the data to make sure that
your search is performing well.
128:48 - 128:50

Your resources are
utilizing well.
128:50 - 128:53

Otherwise, it will
hamper your performance,
128:53 - 128:56

also your search reporting time.
128:56 - 128:59

The search will
not get ended if it
128:59 - 129:03

is fetching all the
data from your indexes,
129:03 - 129:04

so just keep in mind.
129:04 - 129:08
129:08 - 129:10

So that's all about the video.
129:10 - 129:14

Let's recap what we have
learned from this video.
129:14 - 129:18

First, we have used a
search language syntax
129:18 - 129:23

where we have used a
basic search, then pipe.
129:23 - 129:29

We have used command, then
functions-- functions argument
129:29 - 129:31

and clauses.
129:31 - 129:32

We have used clauses as well.
129:32 - 129:36

And then the pipe--
129:36 - 129:38

what is the use of pipe.
129:38 - 129:42

The pipe will act
[INAUDIBLE] hence the output.
129:42 - 129:46

It will forward the
output of a previous surge
129:46 - 129:53

to input-- as an input to the
next surge, or next function,
129:53 - 129:57

or whatever surge you are using.
129:57 - 129:59

To that, it will pass on.
129:59 - 130:08

Also, there are some argument
of fields as well-- commands
130:08 - 130:16

as well, so stats, max.
130:16 - 130:22

So these are the
average, "avg_max".
130:22 - 130:24

So this is nothing--
130:24 - 130:26

argument is nothing
but a value here.
130:26 - 130:32

And the field, which is
there in your events,
130:32 - 130:37

so there are one or more
fields can be there in the--
130:37 - 130:39

from the function.
130:39 - 130:41

So next will be search
term components.
130:41 - 130:45

There are a few major
components are there.
130:45 - 130:46

First is search term.
130:46 - 130:50

What are you looking for?
130:50 - 130:55

Either keyword, phrases,
or Boolean data.
130:55 - 130:57

The second one is commands.
130:57 - 131:01

What do you want to do
with the result, which
131:01 - 131:03

is coming from search terms?
131:03 - 131:08

Then whether you want
to create a chart,
131:08 - 131:11

compute statistics,
eval, or format.
131:11 - 131:16

Now, the third one is--
third component is functions.
131:16 - 131:21

How do you want to chart,
compute, or evaluate the result
131:21 - 131:26

coming from the previous data?
131:26 - 131:26

Yeah.
131:26 - 131:30

So if you want to get
a sum, get an average,
131:30 - 131:34

transform the values,
[INAUDIBLE], or evaluate
131:34 - 131:37

or whatever you want
to do with the data.
131:37 - 131:40

And the fourth one is argument.
131:40 - 131:44

Are there variables you want
to apply to this functions?
131:44 - 131:53

So if you want to calculate
anything, rename the fields,
131:53 - 131:58

or change the format of that
field so that you can do,
131:58 - 132:03

the calculating average
value for a specific field,
132:03 - 132:11

convert megabyte to gigabyte
or byte to terabyte,
132:11 - 132:16

so these kind of
calculation you can do the.
132:16 - 132:18

And the fifth one is clauses.
132:18 - 132:24

You can-- how do
you want to group
132:24 - 132:28

or rename the fields in results?
132:28 - 132:35

So give a field name or a
group value by [INAUDIBLE].
132:35 - 132:36

OK?
132:36 - 132:37

So these are the components.
132:37 - 132:43

So we have talked about
the search pipeline where
132:43 - 132:48

the data is reside on the
indexes and searches head
132:48 - 132:53

fetches the data to
keep it internal table--
132:53 - 132:55

to be keep in to
the internal table--
132:55 - 132:57

sorry, not internal,
intermediate table.
132:57 - 133:04

Now, again, we filter
the data and that result
133:04 - 133:06

will keep it intermediate table.
133:06 - 133:10

And then finally, we will show
the data or in what format
133:10 - 133:17

you want so that will give you
a crisp insight from your data
133:17 - 133:19

through the search pipeline.
133:19 - 133:25

So in the pipeline, if you want
to make your search readable,
133:25 - 133:31

so you can use Shift Enter to
go to next line and use a pipe.
133:31 - 133:36

Or you can go to Splunk
Editor, SPL Editor,
133:36 - 133:41

and change the settings
whatever you want from here.
133:41 - 133:43
133:43 - 133:47

So next, we have talked
about the coloring
133:47 - 133:54

of commands or functions,
so functions are always
133:54 - 133:55

in blue color.
133:55 - 133:58
133:58 - 133:59

No, sorry.
133:59 - 134:01

The commands always
in blue color.
134:01 - 134:03

Functions are in purple.
134:03 - 134:07

So if you have any clauses,
it will come in orange.
134:07 - 134:12

Then apart from that,
everything will be in black.
134:12 - 134:12

OK?
134:12 - 134:14

Just keep in mind.
134:14 - 134:16

And also, there was
one more thing--
134:16 - 134:22

if you are putting a command--
134:22 - 134:29

using a command function,
so it will come in green.
134:29 - 134:33

[INAUDIBLE] command
or argument, so there
134:33 - 134:37

is a difference between command
argument and function argument.
134:37 - 134:37

OK?
134:37 - 134:42

So please make sure you got
the difference between them.
134:42 - 134:43

OK?
134:43 - 134:48

So you can play around
with the coloring options
134:48 - 134:54

as well from SPL Editor.
134:54 - 134:57

So if you had to go to--
134:57 - 135:00

you have to go to Themes
and choose by default,
135:00 - 135:03

it will come light theme.
135:03 - 135:08

Now you can remove a
theme or put a dark theme,
135:08 - 135:10

so I am applying dark theme.
135:10 - 135:12

Dark dark theme will
not come by default.
135:12 - 135:15

By default is light theme.
135:15 - 135:17

OK?
135:17 - 135:19

So I have talked
about creating table.
135:19 - 135:22

You can use a table.
135:22 - 135:27

You can create table
from your events
135:27 - 135:31

and play around with the table.
135:31 - 135:36

So you can represent a
data in the tabular format.
135:36 - 135:44

The column are display in the
order given in the comments.
135:44 - 135:46

You can see the order of it.
135:46 - 135:52

So this header fields header
is always a field name,
135:52 - 135:55

and this is the event.
135:55 - 136:00

One event represent the
value of your field.
136:00 - 136:05

So here you can see
the value of a field.
136:05 - 136:08

Next, we talked
about renaming field.
136:08 - 136:13

You can rename field to
whatever meaningful information
136:13 - 136:14

you want--
136:14 - 136:17

meaningful name.
136:17 - 136:26

So if you do not have space
in your renamed string--
136:26 - 136:29

rename the string-- so you
need not to use double quote.
136:29 - 136:33

If you have a space in between,
please use double quote.
136:33 - 136:37

So once you rename the command--
136:37 - 136:40

once you rename the field,
the field will not be there.
136:40 - 136:43

The original field will
not be there in the event,
136:43 - 136:45

so you need to use--
136:45 - 136:50

in going forward, you need
to use your renamed field.
136:50 - 136:57

So also, we have talked about
fields where [INAUDIBLE] field
136:57 - 137:05

parsing is very costly for
the index and for the search
137:05 - 137:06

as well.
137:06 - 137:09

So field command allow
you to include or exclude
137:09 - 137:15

specific fields in your
search to include use--
137:15 - 137:17

If you want to include--
137:17 - 137:20

use "plus", or if you
do not use "plus,"
137:20 - 137:22

it will be a by default plus.
137:22 - 137:24

Occur before the field side--
137:24 - 137:28

before the field extraction
and improve the performance.
137:28 - 137:28

OK?
137:28 - 137:33

To exclude, you need
to use a minus command.
137:33 - 137:36

After the field extraction.
137:36 - 137:41

no performance benefit, include
field used in the search
137:41 - 137:45

to make the table
display easier to read.
137:45 - 137:46

So there will--
137:46 - 137:49

If you do minus, there won't
be a performance benefit.
137:49 - 137:58

So next, we have given a
live example that how--
137:58 - 138:05

if you are using a
field command, how
138:05 - 138:09

it is improving the performance,
that search time will decrease.
138:09 - 138:12

We have talked about a
dedupe command, where
138:12 - 138:16

if you want to remove the
duplicate value from the data,
138:16 - 138:17

you can use it.
138:17 - 138:25

You can use a dedupe command
on more than one fields
138:25 - 138:28

if you want to do to dedupe
on more than one field.
138:28 - 138:31

If you want to
the sort the data,
138:31 - 138:34

you need to "sort command".
138:34 - 138:41

Use "sort command" order
your result in descending
138:41 - 138:44

or ascending order.
138:44 - 138:51

To use that, you need
to use sort, S-O-R-T,
138:51 - 138:54

plus for ascending,
minus for descending.
138:54 - 138:56

So one more thing
you keep in mind,
138:56 - 139:01

whenever you are using
field command without space,
139:01 - 139:03

it will consider the first--
139:03 - 139:12

It will sort only
for a first field.
139:12 - 139:17

If you are using a minus
or plus with the space,
139:17 - 139:18

it will consider--
139:18 - 139:23

it will qualify all the fields
which are mentioned in the sort.
139:23 - 139:27

It will qualify all the fields.
139:27 - 139:30

It will sort on the
basis of all the fields.
139:30 - 139:35

So I think that's
it about this video.
139:35 - 139:39
139:39 - 139:40

Hi, friends.
139:40 - 139:44

This video is about
transforming commands in Splunk,
139:44 - 139:47

or rather we can set types
of commands in Splunk.
139:47 - 139:52

So I am going to cover one of
the transforming command that
139:52 - 139:54

is called stats.
139:54 - 139:57

So in short, I can say
the transforming command
139:57 - 140:01

means the command
which can convert
140:01 - 140:03

your output into the tables.
140:03 - 140:06

So in short, this
is the definition
140:06 - 140:08

of transforming command.
140:08 - 140:12

So I am going to cover the stats
transforming command in it.
140:12 - 140:14

So let's begin.
140:14 - 140:17

So what exactly
the stats command?
140:17 - 140:20

So stat enables you to
calculate statistics
140:20 - 140:23

on data that matches
your criteria.
140:23 - 140:28

So what it does
is whenever you--
140:28 - 140:33

if you want to do some
statistics on your data after
140:33 - 140:39

any certain data volume,
which you know about it--
140:39 - 140:44

so let's say, if you
have your data index--
140:44 - 140:48
140:48 - 140:54

index is equal to audit or some
internal index, source type--
140:54 - 140:57

source type, any source
type can be there.
140:57 - 141:02

First of all, let's check what
are the source types are there.
141:02 - 141:08

So let's say I will take one
of the source type, Splunk D.
141:08 - 141:09

So this is the source type.
141:09 - 141:18

Now, after this, if
you know on which field
141:18 - 141:20

you want to apply
the statistics,
141:20 - 141:21

so you can apply on that.
141:21 - 141:23

So this will be your
search criteria.
141:23 - 141:28

Upon that, you can start
with the statistics command.
141:28 - 141:33

Now, the common functions
in statistics command
141:33 - 141:38

is first is count, so this
is one of the function.
141:38 - 141:40

[INAUDIBLE] count.
141:40 - 141:43

So what it does is it returns
the number of events that
141:43 - 141:45

matches the search criteria.
141:45 - 141:51

So in this, it will
return the count value.
141:51 - 141:57

The second one is distinct
count, or rather, we say DC.
141:57 - 142:03

So that returns a count of
unique value on the given--
142:03 - 142:04

for a given field.
142:04 - 142:06

OK?
142:06 - 142:12

So how to use it, I will
tell you in a few minutes.
142:12 - 142:16

The next function is sum,
return a sum of numerical value,
142:16 - 142:20

or then again, average-- avg.
142:20 - 142:23

Return an average
of numerical value.
142:23 - 142:26

Similarly, max-- M-A-X, max--
142:26 - 142:33

so it will return a max value
from all values for the fields.
142:33 - 142:36

Also a min--
142:36 - 142:38

M-I-N, min.
142:38 - 142:41

And also, it has list.
142:41 - 142:43

So it will list out
a list function.
142:43 - 142:48

So it will list out all the
values of a given field, OK.
142:48 - 142:52

Values is also one
of the functions,
142:52 - 142:57

so list out the unique
values on a given field.
142:57 - 142:59

So difference between
list and value
142:59 - 143:07

is, the list will give you all
the values for a given field.
143:07 - 143:12

However, the value lists the
unique value of a given field.
143:12 - 143:17

So let's go one by one
to these functions.
143:17 - 143:22

So first, let's say I am
going to run a stats count.
143:22 - 143:25

I want to know how
many events are there
143:25 - 143:27

for this particular
search criteria.
143:27 - 143:29

The search criteria
can be anything,
143:29 - 143:32

so I am going to
run count stats.
143:32 - 143:38

So let's see what
value it gives.
143:38 - 143:44

So let's say the number
of events are 2,503,
143:44 - 143:50

and the same count will be here.
143:50 - 143:56

Also, you can rename this
command as this field,
143:56 - 144:07

as Number Of Events.
144:07 - 144:14
144:14 - 144:16

So you can see it over here.
144:16 - 144:19

I have renamed the count field.
144:19 - 144:23

Otherwise, by default, it will
give you a count field name.
144:23 - 144:27
144:27 - 144:31

So one more thing is that
this is the function.
144:31 - 144:35

So the function accepts
the arguments as well.
144:35 - 144:38

So now, if you want to--
144:38 - 144:42

this count comes
for all the values.
144:42 - 144:46

Now, if you want to count
for a specific field,
144:46 - 144:49

a specific field, so you
can apply that as well.
144:49 - 144:53

So I will say source.
144:53 - 144:54

How many sources are there?
144:54 - 145:03
145:03 - 145:07

So these many sources
are there in [INAUDIBLE].
145:07 - 145:10
145:10 - 145:14

Let's see if source field
itself is there or not.
145:14 - 145:17

So you can see how
many number of events
145:17 - 145:20

are there where the
source is present.
145:20 - 145:23

So these many number
of events are there.
145:23 - 145:27

It is showing all, because for
all the source, it's there.
145:27 - 145:31

Like say, I will
put one of the field
145:31 - 145:35

where group is one of
the field, I suppose.
145:35 - 145:39
145:39 - 145:44

So see for these many number
of events, the group of fields
145:44 - 145:45

is there.
145:45 - 145:48

So it will give you
the total count of it.
145:48 - 145:51

Now, if you want to compare
with the actual field,
145:51 - 145:53

you can give it count.
145:53 - 145:55

Total count as--
145:55 - 145:59
145:59 - 146:01

Total count.
146:01 - 146:05
146:05 - 146:08

So it will give you
the number of events
146:08 - 146:12

which has group, group
field, and the total count.
146:12 - 146:14

If you want to do some
calculation over it
146:14 - 146:17

without group, or how many
number of events are there,
146:17 - 146:21

so you can do it with event.
146:21 - 146:30

Event remaining one.
146:30 - 146:36

So you have to do
total minus count,
146:36 - 146:38

so it will give
you remaining one.
146:38 - 146:44

This is the additional
one you can leave for now.
146:44 - 146:50

So next one, you can
group by these events
146:50 - 146:57

as well if you want to group by
event, like say, number of count
146:57 - 147:02

by source.
147:02 - 147:08
147:08 - 147:08

By source.
147:08 - 147:14

So it will give you for number
of count for each source.
147:14 - 147:17

So for this source, this
many number of events
147:17 - 147:19

are there for this source,
this many number of them.
147:19 - 147:27

So some of it will be
equal to your exact events.
147:27 - 147:32

So you can do Group By.
147:32 - 147:37

You can put as many
as number of group.
147:37 - 147:42

There is no limitations
of grouping the events.
147:42 - 147:45

So sourcetype host.
147:45 - 147:49
147:49 - 147:51

You can put this.
147:51 - 147:54

So you see for this combination,
the events are these many,
147:54 - 147:57

this combination of
events are these many.
147:57 - 147:58

There is no difference.
147:58 - 148:00

That's why it's not
showing any difference over
148:00 - 148:03

here because there is
only single source type
148:03 - 148:05

and then one host name is there.
148:05 - 148:10

So it is showing similar
value over there OK.
148:10 - 148:15

You can use comma in between or
without comma as well for this.
148:15 - 148:17

So it will give
you similar value.
148:17 - 148:20
148:20 - 148:27

While using a stat command,
please use a time range
148:27 - 148:34

very carefully, because as I
mentioned in earlier videos,
148:34 - 148:41

time is a very crucial
parameter for any searches.
148:41 - 148:46

So let's say you give the time,
that it will produce the faster
148:46 - 148:52

result. OK, so next
function is distinct count.
148:52 - 148:55

You can use it in two ways.
148:55 - 148:56

One is distinct_count.
148:56 - 149:11
149:11 - 149:13

Another one is dc.
149:13 - 149:16

The short form of
it is dc, dc count.
149:16 - 149:21

So I want the unique
count for source.
149:21 - 149:33

So source So it should give
only the unique count of it.
149:33 - 149:36

That shows 5 sources are there.
149:36 - 149:40

So it will give you
a count of that.
149:40 - 149:43

The result should be 5.
149:43 - 149:45

It's taking longer.
149:45 - 149:56
149:56 - 149:58

You can see it over here.
149:58 - 150:01

It is giving a distinct
count of source,
150:01 - 150:05

so only 4 sources are there.
150:05 - 150:11

So it is gaining count
of that field value.
150:11 - 150:14

Similarly, you can
use as over here.
150:14 - 150:32

So you can put this
[INAUDIBLE] count of source.
150:32 - 150:38
150:38 - 150:42

So it is giving the field name
as distinct count of source.
150:42 - 150:45
150:45 - 150:49

Next one is sum.
150:49 - 150:54

So you can use sum function
with numerical value.
150:54 - 150:59

So from here, you can check
which is alphanumerical
150:59 - 151:00

and numerical value.
151:00 - 151:07

# The field which has "#" before
it, it's numerical value,
151:07 - 151:11

and the field which
has "a" before it,
151:11 - 151:13

it's an alphanumeric value.
151:13 - 151:17

So these functions, you can
apply on the numerical values.
151:17 - 151:23

So average, putting
it as average.
151:23 - 151:25

So if you do this,
it will sum up
151:25 - 151:29

for all the events, OK,
average for all the events.
151:29 - 151:37

So it is good practice that you
should apply a source type over
151:37 - 151:38

here.
151:38 - 151:40

I mean, not source
type, field, any field.
151:40 - 151:49

So by, group by, sum of average
kbps, average_kbps, by source.
151:49 - 151:52

I'm putting it by source.
151:52 - 151:58

So by source, it will sum
up and give you the values.
151:58 - 152:01

So for other source
type, there is no value.
152:01 - 152:02

So it is blank.
152:02 - 152:04
152:04 - 152:10

_time if you want to put _time,
So it will provide you time
152:10 - 152:10

timely.
152:10 - 152:14
152:14 - 152:16

OK.
152:16 - 152:18

So for this time,
there is no value.
152:18 - 152:21

If you want to sort
it out from here,
152:21 - 152:23

it will give you
the values as well.
152:23 - 152:25

See?
152:25 - 152:31

For this time, this
will sum is there.
152:31 - 152:33

OK.
152:33 - 152:36

If you want, you can sort
it through command as well,
152:36 - 152:41

sort hyphen and count.
152:41 - 152:48
152:48 - 152:49

And count.
152:49 - 152:55

Or count field is not there,
so it won't apply over there.
152:55 - 152:59

So on time, you can say, _time.
152:59 - 153:06
153:06 - 153:09

So it will sort it by time.
153:09 - 153:11

You can see.
153:11 - 153:14

OK, you can put
sort it over here.
153:14 - 153:16

Similarly, you can put average.
153:16 - 153:21

Instead of this, you can
put average, AVG, average.
153:21 - 153:24

Any statistics
command, you statistics
153:24 - 153:25

function, you can
put it over here.
153:25 - 153:28
153:28 - 153:34

So it will give you the
average of this field.
153:34 - 153:39

Now, similarly,
average, you can use min
153:39 - 153:42

to get the minimum
value for that field.
153:42 - 153:49

Similarly, you can do the max,
so get the maximum value of it.
153:49 - 153:52

Maximum value for
that time period,
153:52 - 153:54

as you have given sort command.
153:54 - 153:57
153:57 - 154:00

No, group by, group by source.
154:00 - 154:02

For this source,
this particular time,
154:02 - 154:06

the maximum value
is this much, OK.
154:06 - 154:11

So next one is list command.
154:11 - 154:16

So here, you can provide
a list, list of source.
154:16 - 154:19

I will do source.
154:19 - 154:20

So let's see.
154:20 - 154:25

Let's see what comes
without by command.
154:25 - 154:28

So for all the event,
it should list them.
154:28 - 154:32
154:32 - 154:38

See, it is listing out
all the source type.
154:38 - 154:42
154:42 - 154:48

Now, I will put by source type.
154:48 - 154:52
154:52 - 154:56

So for each source type,
see, for this source type,
154:56 - 154:59

this many number of
sources are there.
154:59 - 155:01

It is listing over here.
155:01 - 155:04

So only single
source type is there.
155:04 - 155:06

So it is giving for single.
155:06 - 155:11

Let's see if any other
values are there.
155:11 - 155:13

So I will put component.
155:13 - 155:16
155:16 - 155:18

Component is one
of the value in--
155:18 - 155:22
155:22 - 155:27

components by source.
155:27 - 155:36
155:36 - 155:41

See, for this source, these
many components are there.
155:41 - 155:44

So these are not
the unique value.
155:44 - 155:45

All the value will come here.
155:45 - 156:02

So if you want to do Save As, so
list, or any list of components.
156:02 - 156:04

So list of components, we'll do.
156:04 - 156:07
156:07 - 156:09

So list of components
instead of this.
156:09 - 156:16

So this will give you
non-unique value, OK.
156:16 - 156:18

If you want to get
the unique value.
156:18 - 156:21

So instead of this,
you need to put values.
156:21 - 156:26
156:26 - 156:34

So this will give you unique
value against each source.
156:34 - 156:38

So by field, you can
apply by field over here.
156:38 - 156:49

So it will give you more
granular level of inputs.
156:49 - 156:52

or you can have level
of data it will provide.
156:52 - 156:55

So similarly, you can
use it in your use cases
156:55 - 157:00

how you can use values
and list command,
157:00 - 157:06

and other statistics functions.
157:06 - 157:11

So you can use it as
per your use case.
157:11 - 157:13

So this is very simple.
157:13 - 157:17

Not much complex
things are there.
157:17 - 157:23

So as you know, stats command
will give you a table format.
157:23 - 157:28

Let me see if I will run
the sum of this field
157:28 - 157:30

by source and time.
157:30 - 157:35

So now you can edit
this table or format
157:35 - 157:39

this table in multiple--
157:39 - 157:45

like this is like, say,
this is the sum of average.
157:45 - 157:49

So if I want to give
coloring options like,
157:49 - 158:03

say orange, see,
if from 0 to 30.
158:03 - 158:05

30, if data is there,
the color will be blue.
158:05 - 158:08

Like you can see it over here.
158:08 - 158:11

The color of it is blue.
158:11 - 158:18

Now, you can change it by
your own, like minimum 2 of 5.
158:18 - 158:27

It will be this, then 5 to 7.
158:27 - 158:30

It will this much, 7 to 10.
158:30 - 158:35
158:35 - 158:39

It will be this, and
10 to 100, for example.
158:39 - 158:42

I'm keeping it 10,
and maximum is red.
158:42 - 158:45

So similarly, you
can put it over here.
158:45 - 158:48

You can make it short, and
you can see the coloring,
158:48 - 158:50

the change in color.
158:50 - 158:52

You can see it over here.
158:52 - 158:58

OK, similarly, you can
make other like value,
158:58 - 159:00

if any specific value
for a specific value, you
159:00 - 159:02

want to put it, or auto.
159:02 - 159:06

Define a rule if cell value
is any specific number,
159:06 - 159:08

or cell value is this.
159:08 - 159:11

Let's say I skip it here.
159:11 - 159:15
159:15 - 159:18

Make it here now.
159:18 - 159:20

Value, define a rule.
159:20 - 159:24

If cell value is this,
the color will be this.
159:24 - 159:28

Add another one if cell
value is something else.
159:28 - 159:32
159:32 - 159:36

If cell value is this,
I'll put some other color.
159:36 - 159:39

Add another color.
159:39 - 159:42

So this is giving another color.
159:42 - 159:45

So this is how you can play
around with the color coding.
159:45 - 159:52

And the next one is
number formatting.
159:52 - 159:53

You can do number formatting.
159:53 - 159:54

Currently, it's disabled.
159:54 - 159:59

I am making it enabled.
159:59 - 160:02

Not here, because
this is not number.
160:02 - 160:05

So make sure that the
number formatting you
160:05 - 160:11

are putting for numerical value.
160:11 - 160:17

So precision, use 1,000
separator, 1,000 separator,
160:17 - 160:20

like it will provide you the
comma and everything, unit.
160:20 - 160:29

Like I will put in bytes.
160:29 - 160:31

So if your position of
it, if you want to put it
160:31 - 160:36

before or after, bytes.
160:36 - 160:39

So bytes, it has come by byte.
160:39 - 160:41

After the numerical value,
if you put it before,
160:41 - 160:43

it will come before
bytes in this.
160:43 - 160:46

So similarly, you can put
anything, whichever you want.
160:46 - 160:52

If this is like any
group or like we
160:52 - 160:57

are calculating in price or
something you can put dollar.
160:57 - 160:59

So here, it will
comment as dollar.
160:59 - 161:01

And now if you
want to put pound,
161:01 - 161:03

it will comment as a pound.
161:03 - 161:09

So similarly, you can
put anything over here.
161:09 - 161:11

So that's it for the video.
161:11 - 161:13

So hope you liked it.
161:13 - 161:15
161:15 - 161:16

Welcome to my channel.
161:16 - 161:19

Hope you are all doing good.
161:19 - 161:24

So the next topic will be
creating reports in dashboards.
161:24 - 161:28

So in this video, I will be
covering creating reports
161:28 - 161:30

and working with reports.
161:30 - 161:33

So what exactly a report is?
161:33 - 161:36

So let's go to the
definition of reports.
161:36 - 161:38

So reports are the saved search.
161:38 - 161:41

So whenever you are
creating any saved search,
161:41 - 161:45

so it is nothing but a report.
161:45 - 161:48

So a report can show events.
161:48 - 161:54

It can show events, raw events,
or statistics, or table,
161:54 - 161:59

or any visualization chart, bar,
pie chart, or any other kind
161:59 - 162:00

of visualization.
162:00 - 162:04

You can do it through report.
162:04 - 162:07

Running a report
returns a fresh result
162:07 - 162:09

each time when you
run the report.
162:09 - 162:12

So this is one of the
feature of report,
162:12 - 162:17

that it will not
run the past data.
162:17 - 162:19

every time, it will
run the fresh data.
162:19 - 162:22

It won't get the cached
data or something,
162:22 - 162:28

until or unless you have
used a specific date and time
162:28 - 162:29

range over there.
162:29 - 162:32

But it always gives
you the fresh data.
162:32 - 162:35

So Statics and
Visualization allow
162:35 - 162:39

you to drill down by default
to see underlying events,
162:39 - 162:43

so whenever you
create any report.
162:43 - 162:53

So if you are clicking
on any of the parameters,
162:53 - 162:57

it will drill down to
that particular event.
162:57 - 163:00

OK, we'll see it in
our practical session.
163:00 - 163:05

So the next one is, a report
can be shared and added
163:05 - 163:06

to dashboard.
163:06 - 163:09

That means you can
share the report.
163:09 - 163:10

You can keep it private.
163:10 - 163:14

If it's confidential,
you can keep it private.
163:14 - 163:20

Or you can share those reports
among the app or multiple apps.
163:20 - 163:25

And also, you can
create a report
163:25 - 163:27

or share the report to
the dashboard as well.
163:27 - 163:32

So when we are moving
forward, I will show you
163:32 - 163:36

how we can create a report
and add it to the dashboard.
163:36 - 163:42

So that, I'll be covering
in our dashboard video.
163:42 - 163:44

So there are a
few things we need
163:44 - 163:47

to take care about when
you are creating reports.
163:47 - 163:49

So one is naming convention.
163:49 - 163:53

So naming convention, it's
good to have a smart naming
163:53 - 163:54

convention.
163:54 - 163:58

Before you begin using
Splunk on the job,
163:58 - 164:00

define a naming
convention so you
164:00 - 164:07

can allow always find your
reports and tell them apart.
164:07 - 164:10

So generally, when
you create a report,
164:10 - 164:13

there are thousands of reports
in your environment, maybe.
164:13 - 164:16

So to uniquely
identify, it should
164:16 - 164:19

have some naming
convention to follow
164:19 - 164:22

so that it's very
easy to understand
164:22 - 164:24

what all reports are created.
164:24 - 164:27

And through naming
convention, you
164:27 - 164:32

can get which what object it
is, for which group it is,
164:32 - 164:35

or what is the
description of it.
164:35 - 164:39

OK, so the ideal
naming convention
164:39 - 164:45

will be, what can you
do is, first, here you
164:45 - 164:47

want to create a
report just saying,
164:47 - 164:49

how can you give the name of it.
164:49 - 164:52

This is not the search language.
164:52 - 164:55

This one is in brackets.
164:55 - 164:59

So first should be
your group name.
164:59 - 165:04

Second should be your object.
165:04 - 165:10

And third will be
the description.
165:10 - 165:15
165:15 - 165:17

So in this naming
convention, you
165:17 - 165:20

should always save your report.
165:20 - 165:22

So saving a report,
I will show you
165:22 - 165:26

how can you save the reports.
165:26 - 165:29

So for example, the
example will be--
165:29 - 165:33
165:33 - 165:40

suppose you need to get the
weekly data for a sales report
165:40 - 165:42

or for a login failure.
165:42 - 165:45

So how can you do that?
165:45 - 165:46

Loginfailed_.
165:46 - 165:54
165:54 - 165:55

What exactly do you want to do?
165:55 - 166:00

You need to create a report,
alert, or dashboard, or macro.
166:00 - 166:06

So here, like we can
say report and daily.
166:06 - 166:09
166:09 - 166:13

Daily failure.
166:13 - 166:19

Or you can say
DailyLoginFailure here.
166:19 - 166:26

Or if any domain is
there, like say, network,
166:26 - 166:29

it is with respect
to network domain.
166:29 - 166:31

Or finance.
166:31 - 166:35
166:35 - 166:40

Finance, like this, you
can create a reporting.
166:40 - 166:42

Or IT department.
166:42 - 166:45

So IT_Report_DailyLoginFailure.
166:45 - 166:49

So this is how the naming
convention should be.
166:49 - 166:52

So first, whenever you
are searching for reports,
166:52 - 166:55

the report will be there
always in this tab.
166:55 - 166:57

So whenever you are
searching for the report,
166:57 - 167:02

if you search
directly on this tab--
167:02 - 167:03

let me show you--
167:03 - 167:08

in this tab, there are
these many reports.
167:08 - 167:10

If you have created
any report, so you
167:10 - 167:11

can search it like report.
167:11 - 167:15

And currently, there
is no report created,
167:15 - 167:16

so it is not showing.
167:16 - 167:18

But you can see a report.
167:18 - 167:21

If you have created
alert, you can search it
167:21 - 167:23

with alert, or dashboard.
167:23 - 167:24

It won't show here.
167:24 - 167:28

It will show it in
here, under Report, OK.
167:28 - 167:35

So this is about naming
convention of report.
167:35 - 167:38

Now, I will explain to you
how can you create a report.
167:38 - 167:41

So before that, you
should know for which
167:41 - 167:42

you want to create a report.
167:42 - 167:46

Like, you should have the data
login or any employee record
167:46 - 167:47

or something.
167:47 - 167:49

Before that, the data
should be there in Splunk.
167:49 - 167:54

So you need to request
to your admin or whoever
167:54 - 167:56

if you are working with POC.
167:56 - 167:59

So just ingest
the data yourself.
167:59 - 168:03

I have created on video how
can you ingest the data.
168:03 - 168:05

So go and have a look on that.
168:05 - 168:08

If you are doing any
POC or you are learning.
168:08 - 168:10

So let's see.
168:10 - 168:16

I have ingested some data in
employee index and employee
168:16 - 168:16

source type.
168:16 - 168:25

So better you filter out a
field as much as possible,
168:25 - 168:27

so it will impact
your performance.
168:27 - 168:32

Now, what I am doing is
I'm creating a table,
168:32 - 168:35

or let's say first
time, what I'll do
168:35 - 168:38

is I'll create a raw data.
168:38 - 168:41

This will be the
raw data from here.
168:41 - 168:44

This is a simple raw event.
168:44 - 168:47

Now, from here,
first is your search.
168:47 - 168:50

Second, you need
to go to Save As,
168:50 - 168:53

and you need to click on Report.
168:53 - 169:01

So I will save it as
IT_Report_EmpDetails.
169:01 - 169:17
169:17 - 169:20

So this will be my report name.
169:20 - 169:22

The description is optional.
169:22 - 169:28

So I will sure make it
as demo and content,
169:28 - 169:30

how you want to see the report.
169:30 - 169:32

So currently, it's
in event format.
169:32 - 169:34

So it will show event.
169:34 - 169:39

Time Picker, Time
Picker will show you
169:39 - 169:48

whether you want to use the Time
Picker during your reporting
169:48 - 169:49

or searching.
169:49 - 169:51

When you deploy the
report, the Time Picker
169:51 - 169:54

will come by
default, and you can
169:54 - 169:57

choose your timing
for how many days
169:57 - 170:02

you want report, how many
hours you want report.
170:02 - 170:08

If you don't select it,
it will choose the value
170:08 - 170:09

as you have mentioned
in the search,
170:09 - 170:11

like all time I have searched.
170:11 - 170:13

But please do not use all time.
170:13 - 170:14

It will impact your performance.
170:14 - 170:19

So once you have selected
everything, just click on Save.
170:19 - 170:25

So it will save your report.
170:25 - 170:28

So when you save it, it
will give you few details
170:28 - 170:30

like additional settings.
170:30 - 170:36

If you want to do Permissions,
when you are creating it,
170:36 - 170:41

the report will be private, so
it will be visible to you only.
170:41 - 170:44

And if you want to make
it visible to others,
170:44 - 170:49

you need to make it
read only, or even
170:49 - 170:53

to give write
permission to some roles
170:53 - 170:55

so you can provide
a write permission.
170:55 - 170:59

Second, one is Schedule, so
you can schedule a report
170:59 - 171:02

if you want to
schedule a report,
171:02 - 171:04

or you want to send an email.
171:04 - 171:07
171:07 - 171:10

In email, you want to send this
event, so you can say Schedule.
171:10 - 171:11

You can accelerate.
171:11 - 171:15

Accelerate is nothing, but it
will create a summarized data
171:15 - 171:18

on the disk and
embed if you want
171:18 - 171:20

to embed your report somewhere.
171:20 - 171:22

So you can do that code.
171:22 - 171:24

You can get it
and you can embed.
171:24 - 171:32

The next option will be the
Continuous Editing or Add To.
171:32 - 171:35

Add to dashboard,
directly from here,
171:35 - 171:38

you can add it to
add to dashboard.
171:38 - 171:45

So currently, what I'm doing is
I will go and view the report.
171:45 - 171:50

So once you click
on that, it will
171:50 - 171:55

show you the data, the
report output of it.
171:55 - 172:02

So also, if you want to search,
you can search it over here.
172:02 - 172:03

Report.
172:03 - 172:06

As I mentioned, report,
it will show as report.
172:06 - 172:08

So it wasn't showing earlier.
172:08 - 172:08

It was not showing.
172:08 - 172:10

Now it is showing over here.
172:10 - 172:13

So this is how you can search
for the report directly.
172:13 - 172:14

If you want, you can click it.
172:14 - 172:17

Click over here.
172:17 - 172:20

So it will show the same page.
172:20 - 172:30

So from here, you can perform
a number of operations.
172:30 - 172:33

As I mentioned, if
you give Time Picker,
172:33 - 172:36

the Time Picker will
be coming over here.
172:36 - 172:38

If you don't give
the Time Picker,
172:38 - 172:42

it will come without this value.
172:42 - 172:45

OK.
172:45 - 172:50

So you can use a time range,
time range, last 15 minutes,
172:50 - 172:54

or all time, or.
172:54 - 172:57

So this is how you
can create a report.
172:57 - 173:00
173:00 - 173:02

Now, let's see
what all operations
173:02 - 173:05

can be done on a report.
173:05 - 173:09

So this is an existing report
which I have already created,
173:09 - 173:11

already as in we have created.
173:11 - 173:15

And now, I want to do any
editing or some operation
173:15 - 173:15

on report.
173:15 - 173:18

So what can be
done on the report?
173:18 - 173:22

So I can open in Search.
173:22 - 173:25

So directly, when I
click on over here,
173:25 - 173:27

it will open the
report in Search.
173:27 - 173:33

So if you want to,
say, give some values
173:33 - 173:36

and you want to save it,
you can save it over here.
173:36 - 173:39

Or if you want to
rename this event,
173:39 - 173:43

if you added some more
values or more visualization
173:43 - 173:48

over here, so you can save it or
create your own different copy
173:48 - 173:49

of the report.
173:49 - 173:52

So similarly, you can click
over here, give all the details,
173:52 - 173:58

and do anything with it.
173:58 - 174:02

OK, so the next thing will be--
174:02 - 174:04

I will go to that report only.
174:04 - 174:08
174:08 - 174:11

OK, this report the next
one will be description.
174:11 - 174:14

You can edit description.
174:14 - 174:21

So just bear in mind, you cannot
edit the name of a report.
174:21 - 174:24

If you want to do it, you
need to delete it and then
174:24 - 174:26

create with another name, OK.
174:26 - 174:31

Also, you can edit
the permission.
174:31 - 174:33

You can edit the permission.
174:33 - 174:34

Currently, it's private.
174:34 - 174:37

Whenever you see the report,
it will show you private.
174:37 - 174:41

I will show you how
it will look like.
174:41 - 174:45

So report.
174:45 - 174:49

So you can see
Sharing, it's Private.
174:49 - 174:51

Only you can see it.
174:51 - 174:56
174:56 - 175:01

OK, now you can make it public.
175:01 - 175:07

You can share it between the
users, or to only this app, OK.
175:07 - 175:10

You just need to
create the permissions.
175:10 - 175:15

If you want to share
between all the application,
175:15 - 175:16

you can do that as well.
175:16 - 175:22

So as per your requirement,
you can change the permissions.
175:22 - 175:25
175:25 - 175:26

Next one, you can schedule.
175:26 - 175:29

If you want to schedule
it, schedule it from here.
175:29 - 175:34

Use all the parameters,
whatever you want.
175:34 - 175:37

You can schedule it as
per your requirement,
175:37 - 175:40

and all the other
details are there.
175:40 - 175:42

Actions, whatever actions
you want to perform,
175:42 - 175:44

you can do that.
175:44 - 175:46

Scheduling is one part.
175:46 - 175:50

Next one is Acceleration, so
you can accelerate the report.
175:50 - 175:53

But before that, you
need to schedule it.
175:53 - 175:57

If you do not schedule
it, it won't acclerate.
175:57 - 176:02

Acceleration means, what it does
is, it will summarize the data
176:02 - 176:04

and put the copy of
that summarized data,
176:04 - 176:10

put it on the file,
not in the index,
176:10 - 176:12

OK, not in the main index.
176:12 - 176:17

You can clone it, you
can get the embed value,
176:17 - 176:19

and you can delete it.
176:19 - 176:25

These all operations can
be done on the report.
176:25 - 176:28

Also, if you can see in
the more information.
176:28 - 176:31

So there will be more
information about created app
176:31 - 176:33

schedule action.
176:33 - 176:36

So what all details are
there for this report,
176:36 - 176:39

you can see it over here, OK.
176:39 - 176:41

So OK, there are
multiple things there,
176:41 - 176:46

like Edit Job, how
it is performing.
176:46 - 176:48

If it is log-running,
you can pause it.
176:48 - 176:50

You can stop it.
176:50 - 176:51

You can reload it.
176:51 - 176:56

You can share it, print it, and
you can download the report, OK.
176:56 - 176:58

These are operations
you can perform in it.
176:58 - 177:02

So in Download, we can see
how many options are there,
177:02 - 177:07

so how many times you can
download raw data, PDF, CSV, XML
177:07 - 177:08

and JSON.
177:08 - 177:13

And these many types, you
can download the reports.
177:13 - 177:16
177:16 - 177:20

Name is optional, and how
many records you want to--
177:20 - 177:22

how many reports you want to--
177:22 - 177:24

OK, now let's come
to the next one,
177:24 - 177:27

creating tables
and visualization.
177:27 - 177:32

So mainly, there are
three types of method
177:32 - 177:34

to create table and
visualization in Splunk.
177:34 - 177:41

So first one is select a
field from the side bar
177:41 - 177:45

and choose a report to run, OK.
177:45 - 177:51

You can select from the sidebar,
and you create a report.
177:51 - 177:54

And use a Pivot interface.
177:54 - 177:58

This means you can use
start with data, data set,
177:58 - 178:00

or directly, you
can go to Pivot.
178:00 - 178:04

So this is how you
can create a table.
178:04 - 178:07

Use the Splunk Search
Language transforming command
178:07 - 178:09

in the search by directly.
178:09 - 178:13

You can write your own searches,
and you can create a table
178:13 - 178:15

or visualization.
178:15 - 178:18

So let's go.
178:18 - 178:22

Let's have a look one by
one, how can we achieve this.
178:22 - 178:27

So how can you view the
table or visualization?
178:27 - 178:33

So if you run any
report, any query,
178:33 - 178:35

so there are multiple options.
178:35 - 178:38

First is Events, where you can
see the raw events pattern.
178:38 - 178:44

You can find out
pattern in your data.
178:44 - 178:45

And next one is Stats.
178:45 - 178:51

So from Stats, this will
represent you the tabular format
178:51 - 178:52

of your data.
178:52 - 178:58

So whatever I have given
in the table command,
178:58 - 179:07

you can see, name, age,
employee ID, city, and salary.
179:07 - 179:11

And next one is
visualization where
179:11 - 179:15

you can see how your
data is performing,
179:15 - 179:19

or as per your
query, here, you can
179:19 - 179:23

use stats any of the
transforming command, which
179:23 - 179:24

should be a
transforming command.
179:24 - 179:28

So you can see the
visualization and the table,
179:28 - 179:31

or statistic table.
179:31 - 179:33

So this is how
you can visualize.
179:33 - 179:36
179:36 - 179:40

So as I mentioned,
you can create
179:40 - 179:49

a report, or a table or
visualization, in three ways.
179:49 - 179:57

So one of the ways is, select
the value from your field bar.
179:57 - 179:58

Select the value
from your field bar.
179:58 - 180:01

Let's have a look how
can we achieve that.
180:01 - 180:07

So you can see it here.
180:07 - 180:11

There are many fields there.
180:11 - 180:16

Now, choose a numerical one.
180:16 - 180:18

Always choose a numerical one.
180:18 - 180:22
180:22 - 180:25

Now, in my data, I can
see a numerical value.
180:25 - 180:29

So when you click
on numerical value,
180:29 - 180:33

it will show you some
mathematical functions,
180:33 - 180:38

average over time,
max value over time,
180:38 - 180:43

minimum value over time, top
values, top values by time,
180:43 - 180:46

rare events with this fields.
180:46 - 180:52

OK, so what you can do is
directly click over here.
180:52 - 180:57

So once you click it, it
will give you the details.
180:57 - 181:01

Currently, only age, OK.
181:01 - 181:02

OK, time chart.
181:02 - 181:05

Age, only this
much age is there.
181:05 - 181:06

That's why it is showing--
181:06 - 181:10

OK, I have selected the average.
181:10 - 181:12

So it will show
you only average,
181:12 - 181:15

because the average is coming.
181:15 - 181:22

Like similarly, let's see for
some other value for average
181:22 - 181:22

over time.
181:22 - 181:26
181:26 - 181:31

I think for my data, I have
ingested at the same time,
181:31 - 181:33

so ingestion time is taking.
181:33 - 181:38

So it will give
you this data only,
181:38 - 181:43

like for this time, because
it's average on time.
181:43 - 181:47

So for this particular time,
all the events has happened.
181:47 - 181:51

So that is why it is
showing you this graph.
181:51 - 181:58

Otherwise, it will show as I'd
shown earlier, similar to this.
181:58 - 182:01

It will show you on
the basis of time
182:01 - 182:05

how your data is performing
on the basis of time, OK.
182:05 - 182:11

So this is the simplest
example of how you can
182:11 - 182:15

get the data from your fields.
182:15 - 182:20

So also, when you
click on that field,
182:20 - 182:26

you observed
automatically, it is
182:26 - 182:28

giving the time chart command.
182:28 - 182:31

Now, you click over
here, it's giving you
182:31 - 182:35

time chart command, OK, because
time chart command always
182:35 - 182:39

works over the time.
182:39 - 182:43

So by default, the y-axis,
the x-axis is always time.
182:43 - 182:49

And the y-axis will be the
field which you have taken.
182:49 - 182:56

OK, so now let's create
a top value report.
182:56 - 183:01

So when you go to your
event from event itself,
183:01 - 183:04

from sidebar field itself,
you can create top values.
183:04 - 183:11

So let's go to alphanumerical
values, alphanumerical values.
183:11 - 183:16

And here, you can
see top values.
183:16 - 183:22

So once you click over here, it
will give you top 20 countries'
183:22 - 183:27

value, but currently, only two
data is there for each country.
183:27 - 183:31

So it will show you
this, only two records.
183:31 - 183:34

But by default, if you
choose it over here,
183:34 - 183:45

it will show you 20 records by
default, but in the top, OK.
183:45 - 183:47

So you can play
around with your data.
183:47 - 183:49

Currently, I have limited data.
183:49 - 183:52

So it is showing this
many, only on two records.
183:52 - 183:58

So it will definitely
show you top 20 records.
183:58 - 184:03

And then by default, it will
provide you the bar chart.
184:03 - 184:09

And you can change as
per your requirement.
184:09 - 184:14

And you can top or some other
as per your requirement.
184:14 - 184:21

OK, so just keep
in mind that when
184:21 - 184:25

you click through
any of the side
184:25 - 184:26

bars, so it will
show you top 20.
184:26 - 184:31

Otherwise, it will show
you top 10 records, top.
184:31 - 184:34

Here, there is no
multiple data, so there
184:34 - 184:35

will be a top 10 records.
184:35 - 184:38

So this question
can come in exam.
184:38 - 184:45
184:45 - 184:49

So as you have seen, you
can change the chart.
184:49 - 184:51

You can change the
format as well.
184:51 - 184:53

There are multiple
formats there.
184:53 - 184:58

So General Stack over,
you can do stack,
184:58 - 185:02

or one after on top of that.
185:02 - 185:06

You can have a
Multi-series as well.
185:06 - 185:10

If you want to see the current--
show the data over here,
185:10 - 185:11

you can see it.
185:11 - 185:15

Otherwise, it will show you a
minimum or maximum for data.
185:15 - 185:20

Now, if you see it,
will show you 2, 2.
185:20 - 185:25

Now, minimum, maximum.
185:25 - 185:26

Again.
185:26 - 185:27

It's 2 or 0.
185:27 - 185:29

It means 2 is maximum.
185:29 - 185:33

There is no 0, so
it's showing maximum.
185:33 - 185:36

OK, now on X-axis,
which field do you
185:36 - 185:38

want to keep it on X-axis?
185:38 - 185:42

In which format by default?
185:42 - 185:47

Customize none, or
label how it should
185:47 - 185:50

look like, x-axis or y-axis,
how it should look like.
185:50 - 185:54

You can do that,
label truncation.
185:54 - 185:56

You can do the label
truncation as well, y-axis.
185:56 - 186:02

Similar to x-axis, you can play
around with the y-axis overlay.
186:02 - 186:06

For this also, I have created
video, but overlay, nothing.
186:06 - 186:10

But it will show you the line.
186:10 - 186:13

Whichever you have
selected, the field
186:13 - 186:17

will go off from
the chart, and it
186:17 - 186:22

will create a line chart,
line for that values, OK.
186:22 - 186:29
186:29 - 186:32

These are all the
things I have already
186:32 - 186:38

explained in my previous video,
so please have a look on that.
186:38 - 186:41

So this is how you can play
around with your reports.
186:41 - 186:43

And after doing
this, finally, you
186:43 - 186:49

can go here and save it as a
report, as I mentioned earlier.
186:49 - 186:51

There is one more thing.
186:51 - 186:56

When you switch to
statistics, there is a term
186:56 - 187:00

called data overlay,
field overlay.
187:00 - 187:07

So how it works is, whenever
you create an heat map,
187:07 - 187:09

it will change.
187:09 - 187:14

You change the color from
this to lighter version
187:14 - 187:16

of this color, as
per the values.
187:16 - 187:19

And heat map looks like that.
187:19 - 187:22

And high to low.
187:22 - 187:24

So again, if you
click on that, it
187:24 - 187:30

will show you high
value, as it's only 2.
187:30 - 187:33

if it is 0 somewhere
there, so it
187:33 - 187:37

will show you
lighter of that, OK.
187:37 - 187:40

So it will show you the
lighter value over there.
187:40 - 187:45

So this is all about report.
187:45 - 187:49
187:49 - 187:51

Welcome to my channel.
187:51 - 187:53

Now, this video is about
creating dashboard.
187:53 - 187:58

So, if you have gone through
my last video, in that video,
187:58 - 188:03

I have explained to you about
creating reports and working
188:03 - 188:05

with reports.
188:05 - 188:08

So continue to that video.
188:08 - 188:13

I am going to show you how to
work with a dashboard or what
188:13 - 188:14

exactly what the dashboard is.
188:14 - 188:17

So a definition of
dashboard, a dashboard
188:17 - 188:23

consists of one or more panels
displaying data visually
188:23 - 188:30

in a useful way, such as
events, table, chart, or stats,
188:30 - 188:34

or any other data or
normal events also, you
188:34 - 188:36

can show it in a dashboard.
188:36 - 188:39

So in short, you can
say a dashboard is
188:39 - 188:44

a collection of reports, and
reports has saved searches.
188:44 - 188:49

This is the pure
definition of a dashboard.
188:49 - 188:54

So a report can be used to
create a panel on a dashboard.
188:54 - 188:58

So a dashboard consists
of different panels.
188:58 - 189:03

So we will see how you
can create a panel,
189:03 - 189:08

or how can you add a
report into the dashboard.
189:08 - 189:12

So let's add a report
into the dashboard.
189:12 - 189:14

So this is the
report which I have
189:14 - 189:18

created in my previous video.
189:18 - 189:22

So in this video, I
have already explained--
189:22 - 189:24

in my previous
video, I have already
189:24 - 189:28

explained the detail
about these tabs.
189:28 - 189:34

So now let's go to next tab
of it, creating a dashboard,
189:34 - 189:36

add to a dashboard directly.
189:36 - 189:37

You can create it.
189:37 - 189:40

Add a report from
here to the dashboard.
189:40 - 189:48

So if you have a new dashboard,
so give the detail about it.
189:48 - 189:51

Demo, demo dashboard.
189:51 - 189:55
189:55 - 189:59

OK, And dashboard ID.
189:59 - 190:00

If you don't give
underscore as well,
190:00 - 190:03

it will always take
it as underscore.
190:03 - 190:07

So keep in mind.
190:07 - 190:10

And then the
description is optional.
190:10 - 190:15

One thing to be noticed, if you
have already existing dashboard,
190:15 - 190:18

like see, a few
dashboard are there,
190:18 - 190:21

if you want to add this
report in existing dashboard,
190:21 - 190:22

you can do that.
190:22 - 190:28

Or else, you can save it
as per your requirement.
190:28 - 190:33

So by default, the dashboard
permission is private.
190:33 - 190:37

You can make it public to
share to the application,
190:37 - 190:41

or within a application
to multiple user,
190:41 - 190:46

or a between the apps, you
can share your dashboard,
190:46 - 190:52

as the permission works
similar to any of the report.
190:52 - 191:01

So if you have a panel name in
mind, you can use that panel.
191:01 - 191:08

Or if you want to give a
panel name, you can give it.
191:08 - 191:17

I will give a panel
name as Employee Record.
191:17 - 191:23

OK, so I'm not
using inline search.
191:23 - 191:25

I am using it as a report.
191:25 - 191:30

And also, report, in what
type the report can be,
191:30 - 191:32

a column, chart,
or a statistics.
191:32 - 191:35

So currently, I am
using a statistics,
191:35 - 191:38

so it should be Statistics.
191:38 - 191:40

So for now, drill down.
191:40 - 191:45

Now I will show you how can we
drill down to a particular event
191:45 - 191:47

or drill down from your events.
191:47 - 191:50
191:50 - 191:53

OK, so click on Save.
191:53 - 191:59

So once you click on
Save, it will show you
191:59 - 192:02

the dashboard has been
created, and you may now
192:02 - 192:04

view the dashboard.
192:04 - 192:09

Now, once you
click over here, it
192:09 - 192:13

will show you the actual
dashboard which you
192:13 - 192:17

have created from your report.
192:17 - 192:19

So currently, it's only
a single dashboard.
192:19 - 192:22

so you can create
multiple dashboards.
192:22 - 192:24

This is only a
single panel, which
192:24 - 192:26

says that it's Employee Record.
192:26 - 192:30

You can make a JSON
panel or below panels.
192:30 - 192:34

Let's see how it works.
192:34 - 192:37

So I'm using the word panel.
192:37 - 192:38

So let's have a look.
192:38 - 192:41

Why create panels
for the reports?
192:41 - 192:46

So the first thing, it
is efficient to create
192:46 - 192:48

most dashboard panels
based on the report
192:48 - 192:51

because a single
report can be used
192:51 - 192:54

across the different dashboard.
192:54 - 192:58

One report can be used
for different dashboards.
192:58 - 193:03

This links the report
definition to the dashboard.
193:03 - 193:06

So it will link the report
definition to the dashboard.
193:06 - 193:10

Any changes to the
underlying report
193:10 - 193:15

affect every dashboard panel
that utilizes that report.
193:15 - 193:18

So it's nothing but
calling a function.
193:18 - 193:20

So whenever you are
using that panel,
193:20 - 193:23

this panel, anywhere
you can use this panel.
193:23 - 193:25
193:25 - 193:29

This panel can have multiple
reports or single report.
193:29 - 193:33

So you can use this
panel in other report
193:33 - 193:35

as well, other
dashboards as well.
193:35 - 193:40

So this is beneficial
for reusing your reports
193:40 - 193:41

in multiple dashboards.
193:41 - 193:44
193:44 - 193:47

So let's play around
with the dashboard.
193:47 - 193:53

So first, I will show you
how can you edit the panel.
193:53 - 193:56

So once you have
saved your dashboard,
193:56 - 194:00

so dashboard will
look like this.
194:00 - 194:03

So if you want to do any
modification or anything,
194:03 - 194:05

you want to play around
with the dashboard,
194:05 - 194:08

so you need to click on Edit.
194:08 - 194:13

So here, it will show
you UI, and then next one
194:13 - 194:18

is source code.
194:18 - 194:25

So if you are good
at XML format,
194:25 - 194:31

so you can create a dashboard
in the backend as well.
194:31 - 194:36

So there are many things you
can only create in backend.
194:36 - 194:41

So you should have a little
bit understanding of it.
194:41 - 194:44
194:44 - 194:46

And then the panel,
which I am calling about,
194:46 - 194:47

this is the panel.
194:47 - 194:51

So you can drag and drop if you
have multiple panels over there.
194:51 - 194:54

Let me add one more panel.
194:54 - 195:00

So let's add a second
with add panel.
195:00 - 195:07

So I will add one panel,
like a column chart.
195:07 - 195:14

And again, I will give
it Employee Record.
195:14 - 195:24
195:24 - 195:28

And I need to give a query.
195:28 - 195:32

So this similar query,
I will be using.
195:32 - 195:35
195:35 - 195:37

OK, table.
195:37 - 195:42
195:42 - 195:44

Table name.
195:44 - 195:47

This, I will use the
same query over there.
195:47 - 195:49
195:49 - 195:51

OK.
195:51 - 195:55

Time Picker I have not
used Global Time Picker.
195:55 - 195:59

So let's have a look
on that as well.
195:59 - 196:02

So I will do that.
196:02 - 196:04

I will click on OK.
196:04 - 196:08

It will look like this, and this
is what I was talking about,
196:08 - 196:13

that you can drag
and drop over here.
196:13 - 196:16
196:16 - 196:26

OK, so I was talking
about Time Picker.
196:26 - 196:38

So if you add Time Picker,
so now, in inline query,
196:38 - 196:42

you can see the Time Picker.
196:42 - 196:48

So whenever you change the time,
this report will get changed.
196:48 - 196:51

So in this, how to
do that, if it's
196:51 - 196:53

a different way of doing
it, so I'll show you
196:53 - 196:59

in my upcoming video, how can
you change the report Time
196:59 - 197:02

Picker value over there.
197:02 - 197:07

OK, so the next
will be, here you
197:07 - 197:13

can see more values, one or
more values, here more actions.
197:13 - 197:17

So in that, this action,
two things can be there.
197:17 - 197:20

One is Drilldown option.
197:20 - 197:23

So Drilldown option, what
do you exactly want to do?
197:23 - 197:28

First, the automatic
will be linked to search.
197:28 - 197:32

So whenever you will
click on any of this,
197:32 - 197:37

it will link to the search,
and multiple options are there.
197:37 - 197:39

No actions linked
to the dashboard,
197:39 - 197:43

linked to report link, to URL
manage token on this dashboard.
197:43 - 197:45

So these are the multiple
options that are there.
197:45 - 197:48

This will come in
advanced version.
197:48 - 197:52

But for now, you
need to understand
197:52 - 197:55

that these many
options are there, OK.
197:55 - 197:59

And once you click over
here, you need to apply it.
197:59 - 198:02

So the next option on this is--
198:02 - 198:05
198:05 - 198:09

[INAUDIBLE] is
nothing, means nothing,
198:09 - 198:12

but it will show
you different values
198:12 - 198:16

for different forms,
because this, again, it
198:16 - 198:17

will be the advanced one.
198:17 - 198:23

So I'm not showing
you over here.
198:23 - 198:29

So once you save it with this
option, Drilldown option,
198:29 - 198:33

once you save it, now
if I click over here,
198:33 - 198:40

it will redirect you
to city equal to Pune.
198:40 - 198:44

If you can see it, it is showing
me should city equal to Pune,
198:44 - 198:46

and the name equal to.
198:46 - 198:50

Whatever the things will
be there, it will show you.
198:50 - 198:52

Like, I have clicked over here.
198:52 - 198:55

So it will show you
name equal to this,
198:55 - 199:00

and then name equal to Kabeer,
and then city equal to Pune.
199:00 - 199:03

Like see, I clicked over here.
199:03 - 199:08

It is drilling down me
to that particular event.
199:08 - 199:11

So similarly, also
time range, it
199:11 - 199:14

will pick the same time range,
which is present over there.
199:14 - 199:19
199:19 - 199:25

OK, so this is about drilldown,
and then it's visualization.
199:25 - 199:30

So next can be if I
go to the dashboard.
199:30 - 199:34

If I do not have
permission to edit
199:34 - 199:39

this dashboard, what you can
do is, I can go and clone
199:39 - 199:40

the dashboard.
199:40 - 199:43

I want to change--
199:43 - 199:49
199:49 - 199:52

clone self for temp.
199:52 - 199:56

Temp, and I will clone it.
199:56 - 200:00

So you can see it over here.
200:00 - 200:03

It's cloned, and then
all the things will be.
200:03 - 200:05

And you can change as
per your requirement.
200:05 - 200:09

The search can be changed
when you click over
200:09 - 200:11

here on the filter.
200:11 - 200:14

You can do all other
operations as well.
200:14 - 200:16

You want to select
the visualization,
200:16 - 200:19

you can select the
visualization under the panel.
200:19 - 200:22

See, you can see the
visualization formatting.
200:22 - 200:26

You can change the formatting
as you have done on the reports.
200:26 - 200:29

All the formatting
can be done here.
200:29 - 200:32
200:32 - 200:33

Here, everything can
be done, which you
200:33 - 200:35

have performed with the report.
200:35 - 200:37

So it's treated as
a single report.
200:37 - 200:47

And the combination of it,
or when you clubbed together
200:47 - 200:52

these reports, it will
form it as a dashboard, OK.
200:52 - 200:59

So if you have done
any changes, it
200:59 - 201:06

will highlight you the
Save panel, Save option.
201:06 - 201:07

Otherwise, it won't
show anything.
201:07 - 201:12

Just you cancel it
and you move ahead.
201:12 - 201:15
201:15 - 201:19

Now, Next one in this
is, what you can do
201:19 - 201:22

is edit, export and print.
201:22 - 201:29

You can export your
dashboard to PDF,
201:29 - 201:35

and if you want to send this
PDF to your customer or anyone,
201:35 - 201:36

you can send it.
201:36 - 201:41

So this is how it will
look like in the PDF format
201:41 - 201:43

when you download it.
201:43 - 201:47
201:47 - 201:48

OK.
201:48 - 201:52

This is a very useful
feature when you want to--
201:52 - 201:56

because the dashboard, there
is a limitation of dashboard.
201:56 - 201:59

You cannot send this
dashboard as an email,
201:59 - 202:04

so the best way you just
download it as a PDF,
202:04 - 202:10

and this PDF can be
sent in the email.
202:10 - 202:20

OK, so one more main thing,
good thing about dashboards
202:20 - 202:25

are, you can set this dashboard
as a home page, home page
202:25 - 202:26

dashboard.
202:26 - 202:28

So you can choose it over here.
202:28 - 202:31

From here, you can choose it.
202:31 - 202:34

I can select the dashboard
which I have created.
202:34 - 202:41
202:41 - 202:44

Choose a dashboard demo.
202:44 - 202:47

OK, save.
202:47 - 202:52

So whenever I will log in,
I can see these dashboards.
202:52 - 202:55
202:55 - 203:01

OK, let me log in and log
out, and log in once again.
203:01 - 203:13

So [INAUDIBLE].
203:13 - 203:16

Logging in, it will show
me the same dashboard
203:16 - 203:18

which I have created.
203:18 - 203:24
203:24 - 203:29

So guys, that's it
about the video.
203:29 - 203:30

Let me show you
how can you search
203:30 - 203:37

for the dashboard which are
there already in your record.
203:37 - 203:41

So whenever you click
on Search and reporting,
203:41 - 203:43

there are multiple
tabs there where
203:43 - 203:45

you can see the reports alerts.
203:45 - 203:47

And here, you can
see the dashboard
203:47 - 203:48

which you have created.
203:48 - 203:51
203:51 - 203:54

So please follow the
naming convention as well.
203:54 - 203:57

I have created demo
dashboard, for which purpose
203:57 - 204:01

you have created to
put underscore, email,
204:01 - 204:03

employee record or something.
204:03 - 204:06

So I should have created,
but it's OK for now.
204:06 - 204:09

So just bear in mind about
the naming convention.
204:09 - 204:11

So guys, that's it
about the video.
204:11 - 204:12

Thanks.
204:12 - 204:15
204:15 - 204:16

Welcome to my channel.
204:16 - 204:23

So the next topic will be
scheduling reports and alerts.
204:23 - 204:26

So in this video, I'll be
covering scheduling the reports.
204:26 - 204:34

So before we start, just we want
to know why we schedule reports.
204:34 - 204:39

So scheduling reports
are useful for
204:39 - 204:45

monthly, weekly, daily executive
managerial role of reports.
204:45 - 204:55

So by doing scheduling reports,
so management or upper level,
204:55 - 204:59

they can see the reports, how
their business is performing,
204:59 - 205:03

how a particular
flow is behaving.
205:03 - 205:07

So the next point can be
a dashboard performance.
205:07 - 205:09

So by sharing a
report, we can increase
205:09 - 205:11

the performance of a dashboard.
205:11 - 205:17

And the next one can be
automatically sending
205:17 - 205:22

reports via email, so when
you schedule a dashboard
205:22 - 205:25

so you can send a
report automatically
205:25 - 205:27

to someone's inbox.
205:27 - 205:32

So these are the few benefit
of scheduling the reports.
205:32 - 205:42

So how can we create a
scheduler for the report?
205:42 - 205:46

So this is the search bar.
205:46 - 205:49

So you need to type, write
some query over here.
205:49 - 205:52

I have already written a query.
205:52 - 205:55

So this will be the query.
205:55 - 206:01

And also, it's similar
to my previous video.
206:01 - 206:05

I have mentioned how
can we create a report.
206:05 - 206:09

So here, we can give a name.
206:09 - 206:12

So it can be
IT_Report_EmpRecord.
206:12 - 206:26
206:26 - 206:27

EmpRecord.
206:27 - 206:32

Here, I am putting, this can be
the description, can be "Demo."
206:32 - 206:38
206:38 - 206:44

So if you do not want to, so the
time picker can be a scheduler.
206:44 - 206:48
206:48 - 206:49

It will pick a scheduler report.
206:49 - 206:54

So once you do that, it will ask
for several options, Permission,
206:54 - 206:57

Schedule, Acceleration
and Embed.
206:57 - 207:00

So here, you can
schedule that report.
207:00 - 207:02
207:02 - 207:04

Click over here.
207:04 - 207:08
207:08 - 207:10

Once you do that,
you need to click
207:10 - 207:12

whether you want to schedule.
207:12 - 207:13

Yes.
207:13 - 207:16

Once you schedule it,
a different option
207:16 - 207:19

will come, how often
you want to schedule.
207:19 - 207:25

So weekly, every hour, every
day, every month, every week,
207:25 - 207:28

every month, or cron job.
207:28 - 207:33

So for cron job, you need to
know how the cron job works.
207:33 - 207:40

So currently, I
am putting hourly.
207:40 - 207:45

Now, the second term with time
range, how far the data you
207:45 - 207:46

want to fetch.
207:46 - 207:53

Do you want the data for last 15
minutes, 60 minutes, or 4 hours,
207:53 - 207:55

or so on, or for all?
207:55 - 207:59

It's not a good practice
to select for all,
207:59 - 208:02

because it will impact your
performance and search will not
208:02 - 208:05

get completed if it's the
huge data will be there
208:05 - 208:09

and relative time
you can put it.
208:09 - 208:13

There are different advanced
time ranges also there.
208:13 - 208:16

So this is how you can
select the time range.
208:16 - 208:19
208:19 - 208:27

So I will select the
time range as weekly.
208:27 - 208:34

And if you say weekly,
it will ask on which day
208:34 - 208:38

the report will
run, and what time.
208:38 - 208:42

So currently, I'm
keeping it as it is, OK.
208:42 - 208:49
208:49 - 208:51

So by this, as I
already explained it,
208:51 - 208:53

you need to select
the time range.
208:53 - 208:56

And priority, what can
be the priority of it?
208:56 - 209:02

Highest priority, or highest
priority, or by default?
209:02 - 209:04

It can come.
209:04 - 209:07

Window, schedule window.
209:07 - 209:12

If you want to put a schedule
window, you can do that as well.
209:12 - 209:19

So a schedule window
is nothing but a report
209:19 - 209:23

run for that particular window.
209:23 - 209:25

Whenever the multiple
reports are there,
209:25 - 209:27

the report will run for
that particular window.
209:27 - 209:31

This will help whenever the
multiple reports are there,
209:31 - 209:34

and those are queuing up.
209:34 - 209:38

So it will give you a
relaxation of that window
209:38 - 209:42

in that this particular
window, the report should work.
209:42 - 209:43

It should run.
209:43 - 209:47

OK, so the definition of it
can be a schedule window.
209:47 - 209:51

This setting determines a
time frame to run the report.
209:51 - 209:54

If there is other
reports scheduled
209:54 - 209:58

to run at the same time,
you can provide a window
209:58 - 210:00

in which to run the report.
210:00 - 210:02

This setting
provides a efficiency
210:02 - 210:05

to schedule several
reports or run.
210:05 - 210:07

So this is the benefit of it.
210:07 - 210:13
210:13 - 210:16

So once you select
all these options,
210:16 - 210:19

once you checked
all these options,
210:19 - 210:23

you also have option
of triggering an alert.
210:23 - 210:26

So there are multiple
options as a log event,
210:26 - 210:33

output result to lookup, output
result to telemetry endpoints.
210:33 - 210:37

Run scripts, send
email, webhook.
210:37 - 210:43

These by default comes
with the Splunk version.
210:43 - 210:50

So event, log event, creates an
index, searchable log events.
210:50 - 210:57

So if you want to put the
event of that in the index,
210:57 - 210:57

so you can do that.
210:57 - 211:00

Output result to
Outlook, send result
211:00 - 211:05

to a result offer of
search to CSV lookup files.
211:05 - 211:08

So through that,
you can do that.
211:08 - 211:12

Output result to
telemetry endpoints,
211:12 - 211:15

send you usage
metrics back to Splunk
211:15 - 211:20

if your company has
opted in the program.
211:20 - 211:25

So you can send the
output to Splunk back.
211:25 - 211:27

OK, I run a script.
211:27 - 211:31

You can run a script over here,
send an email and webhook.
211:31 - 211:36

You can send through webhook,
you can send a data to UI,
211:36 - 211:40

send data to UI through that.
211:40 - 211:43

Now, we are going to choose
option of sending email.
211:43 - 211:48

So through that, you
can send an email here.
211:48 - 211:51

You need to give
an email address.
211:51 - 212:00

So [INAUDIBLE].
212:00 - 212:03
212:03 - 212:09

So it can show you
CC and BCC as well.
212:09 - 212:14

Here, if you want to give
a priority of a report,
212:14 - 212:16

you can give it.
212:16 - 212:23

Now, if you want to use
any field from your output,
212:23 - 212:27

so you can enclose in between
these signs, dollar signs.
212:27 - 212:37

And otherwise, you can
just tell Employee Record.
212:37 - 212:43

So Employee Record.
212:43 - 212:45

Now, message.
212:45 - 212:50

Message, again, if you want
to put field in the message,
212:50 - 212:54

so you need to enclose
in between these signs
212:54 - 212:58

and write whatever you
want to write over here.
212:58 - 213:01

Also, multiple
options are there.
213:01 - 213:10

If you want, you can
link to a report.
213:10 - 213:13

Like it will come with a
message, link to report,
213:13 - 213:16

link to result, result string.
213:16 - 213:18

It will show the result
string in line table.
213:18 - 213:24

Or if you want to attach any
of this result as a CSV or PDF,
213:24 - 213:25

you can do that.
213:25 - 213:33

So once you save it,
let's verify everything.
213:33 - 213:34

Everything is fine.
213:34 - 213:38
213:38 - 213:44

So once you save it,
you can see the alert
213:44 - 213:49

will run for Monday this
time, and for 24 hours.
213:49 - 213:55

Currently, it has not run, so
there is no result over here.
213:55 - 213:58

And how can you see this?
213:58 - 214:02

So you have to go to, first
of all, in [INAUDIBLE],
214:02 - 214:04

you have to go to Reports.
214:04 - 214:07
214:07 - 214:08

Search for this report.
214:08 - 214:11

So you can see it over here.
214:11 - 214:16

The report, the next one
is for this time, OK.
214:16 - 214:19

And other things, private,
public, you can see it.
214:19 - 214:21

And Edit option,
through that, there
214:21 - 214:26

are multiple edit options, as
I mentioned in my report video.
214:26 - 214:30

With report these options,
you can see the report as well
214:30 - 214:31

as well as with the scheduler.
214:31 - 214:36

So description, you can
change the description.
214:36 - 214:44

You can assign a permission,
assign to app or in between app,
214:44 - 214:48

or in this app to all the users.
214:48 - 214:52

Or you can share
between the apps.
214:52 - 214:55

So this is how you can edit it.
214:55 - 215:01
215:01 - 215:06

So there are a few more options
there, Accelerate and Clone,
215:06 - 215:09

cloning this report, or Embed.
215:09 - 215:11

Once you click on
Embed, it will show you
215:11 - 215:20

how directly you can embed any
of the things, or HTML-based.
215:20 - 215:22

These are HTML-based.
215:22 - 215:27

You can copy and
use it anywhere.
215:27 - 215:29
215:29 - 215:33

OK, so this is all
about scheduling report.
215:33 - 215:39

So once you schedule it,
it will run for this time,
215:39 - 215:41

and you will get the email
on email notification
215:41 - 215:45

and your mailbox, whatever
options you have chosen.
215:45 - 215:48

If you have chosen,
the report should
215:48 - 215:52

go in CSV format or PDF format.
215:52 - 215:56

You will get the report
in that particular format.
215:56 - 215:59

So that's it for now.
215:59 - 216:04
216:04 - 216:05

Hi, friends.
216:05 - 216:09

In my previous video, we have
seen how to schedule a report.
216:09 - 216:14

So in this video, I am going
to tell you what is an alert
216:14 - 216:20

and how can we schedule
alert in our environment.
216:20 - 216:23

So before that, what are alerts?
216:23 - 216:26

So first, Splunk
alerts are based
216:26 - 216:33

on searches that can run
either on a regular schedule
216:33 - 216:36

interval or a real time.
216:36 - 216:39

So the alert should
be scheduled,
216:39 - 216:42

or it can be in real time.
216:42 - 216:46

So alerts are triggered
when a result of search
216:46 - 216:49

meets a specific
condition that you define.
216:49 - 216:52

So whenever you are
going to create an alert,
216:52 - 216:55

so it is searching for
a specific condition
216:55 - 216:59

that you are going to trigger
for any specific alert.
216:59 - 217:04

So based on your need,
alert can create an entry
217:04 - 217:11

and trigger alert, login
event, output result to lookup,
217:11 - 217:15

send email, use webhook,
perform custom action.
217:15 - 217:19

So these all are
actions you can perform.
217:19 - 217:29

So let's have a look how
can we create an alert.
217:29 - 217:33

So when you are creating alert,
you should know on which search
217:33 - 217:36

you are going to create an
alert, or for which data
217:36 - 217:38

you are going to
create an alert.
217:38 - 217:43

So I have data already ingested
in my environment, my POC
217:43 - 217:44

environment.
217:44 - 217:49

So similarly, you can ask
in your POC environment,
217:49 - 217:52

or if you are performing
this action in production.
217:52 - 217:55

So there should be a
search written already,
217:55 - 217:58

and there should
be some criteria.
217:58 - 218:02

On that basis, you are
going to set a threshold,
218:02 - 218:04

and you will get
the alert out of it.
218:04 - 218:07

So this is my
simple query, where
218:07 - 218:11

I am going to get
the age of employees
218:11 - 218:12

which is greater than 30.
218:12 - 218:15

So when I go here, I
will search for it.
218:15 - 218:20

And this is the event which
I'm getting it over here.
218:20 - 218:24

So how I can change it in alert?
218:24 - 218:29

So as we have seen
for saved search also,
218:29 - 218:36

we need to, saved search,
we need to run Save As.
218:36 - 218:38

So here, you can see it.
218:38 - 218:41

First option is Report,
second is Dashboard,
218:41 - 218:43

and third one is Alert.
218:43 - 218:45

So you need to click on Alert.
218:45 - 218:47

So once you go in
Alert, first you
218:47 - 218:49

need to give the title of it.
218:49 - 218:55

So I can give IT.
218:55 - 218:58

So you need to follow the
naming convention as well.
218:58 - 219:03

Alert and AgeGreater30.
219:03 - 219:15
219:15 - 219:19

So description, I am
putting it as "Demo."
219:19 - 219:21

You can put as per
your requirement.
219:21 - 219:24

So the description
should be there.
219:24 - 219:29
219:29 - 219:31

The next part, the permission.
219:31 - 219:36

So permission, this
permission, similarly, we
219:36 - 219:40

have checked on permission
on reports or dashboards.
219:40 - 219:42

So similarly, this
permission will work.
219:42 - 219:47

So if you keep it
private, the alert
219:47 - 219:51

or the search behind the
alert, only you can see it.
219:51 - 219:55

Nobody else can see it.
219:55 - 220:00

By default, it's private, and
you can share it through app
220:00 - 220:00

as well.
220:00 - 220:04

So now, if you want
to schedule it,
220:04 - 220:07

so this is what we
are talking about.
220:07 - 220:09

An alert can be
scheduled or real time.
220:09 - 220:10

So if you want to
schedule it, you
220:10 - 220:14

can schedule it for
any specific time.
220:14 - 220:19

If it's a real time, the alert
will be running real time,
220:19 - 220:24

and you need to specify the
expiry date of the alert.
220:24 - 220:25

If it's running
for a long time, it
220:25 - 220:28

will expire in
this specific time.
220:28 - 220:34

So by default, it
comes as a schedule.
220:34 - 220:37

And whatever schedule
you want to provide,
220:37 - 220:39

you can provide the
schedule over here,
220:39 - 220:43

how often it checks
the employee data.
220:43 - 220:49

So daily, hourly, weekly,
monthly, or any specific cron
220:49 - 220:53

job, or specific certain
time you want to schedule it.
220:53 - 220:57

So you can schedule it.
220:57 - 221:00

So I am selecting hourly basis.
221:00 - 221:03
221:03 - 221:07

So before that, just we
can see the difference
221:07 - 221:12

between alert type, alert type,
like Scheduled and Real-time.
221:12 - 221:16

The Scheduled alerts search
run at a definite interval,
221:16 - 221:22

and evaluate a trigger condition
when the search completes, OK.
221:22 - 221:28

And the Real-time one is, the
real-time alert search runs
221:28 - 221:30

constantly in the background.
221:30 - 221:33

It will run constantly
in the background.
221:33 - 221:35

Second one, evaluate
trigger condition
221:35 - 221:40

within a window of a time based
on the condition you define.
221:40 - 221:42

So it will check for
it within a window.
221:42 - 221:45

This window, it will
check whatever time you
221:45 - 221:47

have defined in that window.
221:47 - 221:51

It will check for the data, OK,
whatever time you have defined.
221:51 - 221:57

So this is the
difference between type.
221:57 - 222:01

Now, schedule setting,
as I already mentioned,
222:01 - 222:04

this many number of
schedule settings are there.
222:04 - 222:07

So you can define whatever
you want as per your need.
222:07 - 222:14

Now, there are certain scheduled
condition, trigger condition.
222:14 - 222:18

So there are a number
of trigger conditions,
222:18 - 222:22

like when the alert
will get triggered, OK.
222:22 - 222:27

The number of results, as
you can see, you have already
222:27 - 222:32

given a query, that
meeting your condition,
222:32 - 222:34

if there is any
event or such event
222:34 - 222:37

is coming, triggering
this alert.
222:37 - 222:42

Number of hosts, if number of
hosts are greater than or less
222:42 - 222:47

than something, so you
can trigger an alert.
222:47 - 222:51

Number of sources, whatever the
source are there, or custom.
222:51 - 222:56

So custom, you can
define your own field
222:56 - 222:58

is greater than or
less than or something
222:58 - 223:00

you can define over here.
223:00 - 223:03

So let's say if you define
a number of results.
223:03 - 223:09

So here, you can apply a
condition that is greater than,
223:09 - 223:12

is less than, is equal
to, is not equal to,
223:12 - 223:14

drop by, or rise by.
223:14 - 223:18

So drop by, rise by, that
means for a certain percentage,
223:18 - 223:22

it's dropping or rising so
you can trigger an alert.
223:22 - 223:25

So for now, I am
giving greater than 0.
223:25 - 223:29

That means if the age
is greater than 30,
223:29 - 223:32

so it triggers an alert.
223:32 - 223:33

So this is the simplest one.
223:33 - 223:40

Now, trigger an alert
once or for each result.
223:40 - 223:46

Suppose in my result, there
are multiple rows out there,
223:46 - 223:48

or multiple events are there.
223:48 - 223:53

So whether you want to
trigger the alert for only
223:53 - 223:57

once or for each event.
223:57 - 224:01

If the search query is
like here, if you can see,
224:01 - 224:03

if search query is
giving more than one
224:03 - 224:08

result, so the alert will get
triggered for multiple records.
224:08 - 224:12

So in this condition, it
won't trigger anything.
224:12 - 224:20

So I will create one more alert.
224:20 - 224:25

Alert, and AgeGreater30.
224:25 - 224:35
224:35 - 224:39

Demo, and everything,
I'll keep as it is.
224:39 - 224:40

Hourly.
224:40 - 224:45

And similarly, the
number of results.
224:45 - 224:46

And this is the same thing.
224:46 - 224:49
224:49 - 224:51

This is very important.
224:51 - 224:52

Throttle, throttle.
224:52 - 224:57

That means you
want to suppress--
224:57 - 225:00

if there are many
events out there,
225:00 - 225:03

the flood of events
out there, so you
225:03 - 225:05

can suppress that
flood of events
225:05 - 225:08

by setting this condition.
225:08 - 225:11

OK, so suppress the event.
225:11 - 225:15

Similar event coming
for 60 seconds.
225:15 - 225:20

Or if you are running
query for every 10 minutes,
225:20 - 225:24

if you do not want, the similar
alert for next 60 minutes.
225:24 - 225:25

So you can define over here.
225:25 - 225:28

So likewise, you can
do or day or something
225:28 - 225:29

whatever you want to.
225:29 - 225:32

So suppress a event
for certain time.
225:32 - 225:37

If that time-- beyond that time,
again, trigger one more alert
225:37 - 225:42

and wait for another 60
minute or 60 seconds.
225:42 - 225:45

OK, after this, there
is main condition.
225:45 - 225:48

Once all this
condition is fulfilled,
225:48 - 225:51

now you have to
trigger an action.
225:51 - 225:53

So action can be multiple.
225:53 - 226:00
226:00 - 226:06

So before that, just have
a look once and for each.
226:06 - 226:11

When you select once, what is
the difference in throttling?
226:11 - 226:15

And once you search for
this, for each condition,
226:15 - 226:20

for each event, you need to
define a specific field on which
226:20 - 226:22

you want to suppress the alert.
226:22 - 226:27

Or for that, like say here,
we are searching for age.
226:27 - 226:30

So age should be
the field on which--
226:30 - 226:36

if age is greater than
30, if you are getting
226:36 - 226:38

those alerts
continuously, suppress it
226:38 - 226:43

for the next 60 minutes.
226:43 - 226:48

And then, again,
release a new event.
226:48 - 226:53

OK, so I hope this is clear.
226:53 - 226:55

So the next point
is very important,
226:55 - 226:58

our trigger condition.
226:58 - 226:59

Now, trigger
condition, there are
226:59 - 227:00

number of trigger conditions.
227:00 - 227:05

One, add alert.
227:05 - 227:09

Add to trigger an alert.
227:09 - 227:11

Log events.
227:11 - 227:14

Output result to lookup.
227:14 - 227:16

Output result to
telemetry endpoint.
227:16 - 227:17

Run a script.
227:17 - 227:20

Send an email or webhook.
227:20 - 227:24

It's similar to I
mean, I have already
227:24 - 227:28

explained in one of my videos,
so you can have a look on that.
227:28 - 227:29

So trigger an alert.
227:29 - 227:37

So for this tutorial, I am
just choosing to send an email.
227:37 - 227:52

So once you give that, you
need to view email address.
227:52 - 228:00

And BCC or CC, you can
put it, and you can
228:00 - 228:04

define a priority of an email.
228:04 - 228:05

[INAUDIBLE] the priority.
228:05 - 228:07

If it's high, you
can put it high.
228:07 - 228:10

Here, subject.
228:10 - 228:13

If you need some data
from your results,
228:13 - 228:21

you need to enclose it in
between the dollar sign.
228:21 - 228:36

So Age Alert For Employee.
228:36 - 228:49
228:49 - 228:50

Age Alert For Employee.
228:50 - 228:53
228:53 - 229:01

Employee Age Greater
Than Age, and say.
229:01 - 229:02

age.
229:02 - 229:11

So it will come as 30 when it
comes in the email subject.
229:11 - 229:14

So similarly, if you want to
define anything in the message,
229:14 - 229:14

you can do it.
229:14 - 229:19

And if you want to use
it, you use it too.
229:19 - 229:24

So also similar to
Scheduled Report,
229:24 - 229:29

you can use any
of this parameter.
229:29 - 229:32

So you want to
link an alert link,
229:32 - 229:37

a result search string table,
you want result in attached CSV
229:37 - 229:41

format, trigger condition,
specific trigger time,
229:41 - 229:47

or you want to attach it in PDF.
229:47 - 229:53

So I'm keeping it as it is
and attaching it to PDF.
229:53 - 229:57

Now, if I save it, it will
ask for the permission.
229:57 - 230:00
230:00 - 230:04

OK, I'm using a
free-trial version,
230:04 - 230:06

so shared schedule
will not work.
230:06 - 230:12

Otherwise, like in a
full-fledged version,
230:12 - 230:14

it will work.
230:14 - 230:18

So if you want to work
around the permission
230:18 - 230:20

so you can have a
look on permission,
230:20 - 230:22

if you want to change the
permission of this app,
230:22 - 230:25

currently it's
owned by yourself,
230:25 - 230:29

so nobody can see it, though
the alert condition will
230:29 - 230:30

get triggered.
230:30 - 230:34

And if you want to share it
in the app, you can do it,
230:34 - 230:37

or among the apps,
again, you can do it.
230:37 - 230:47

So once you save it, it
will land you to this page
230:47 - 230:51

where it shows the alert
name, whatever the alert name,
230:51 - 230:54

description, and
Enabled or Disabled.
230:54 - 230:56

Currently, it's enabled.
230:56 - 230:57

If you want to disable
it, disable it.
230:57 - 231:01

And App, you can
specify the app as well.
231:01 - 231:04

Permission, what
permission you have.
231:04 - 231:05

Modified, last modified.
231:05 - 231:09

Alert Type, Scheduled,
Hourly basis.
231:09 - 231:12

Hourly basis, or if you want
to edit it, you can do it.
231:12 - 231:16

Trigger Condition, number of
alerts and the trigger condition
231:16 - 231:17

or action.
231:17 - 231:20

The action here you
specified, email,
231:20 - 231:23

or if you specified
some other action,
231:23 - 231:27

it will specify
that action as well.
231:27 - 231:32

If you want to edit the
alert, you can go ahead, edit.
231:32 - 231:37

It's similar to edit which
we have applied on search
231:37 - 231:39

scheduling or search reporting.
231:39 - 231:43

So similarly, you
can do the editing.
231:43 - 231:47

Open in search, that's similar.
231:47 - 231:50

If you right-click on this,
it will open in search
231:50 - 231:53

bar. the search which you
have written will open.
231:53 - 231:57

There, now the second
one, Edit Alert
231:57 - 231:58

if you want to do some edit.
231:58 - 232:03

But remember, you will not be
able to change the name of it.
232:03 - 232:12

You have to delete, and
you have to again create
232:12 - 232:14

a new report with another name.
232:14 - 232:17

OK, so here you
can edit whatever
232:17 - 232:22

you want apart from name.
232:22 - 232:24

So again, permission.
232:24 - 232:27

You can change the permission.
232:27 - 232:29

And disable.
232:29 - 232:30

And you want to clone it.
232:30 - 232:31

You can clone it.
232:31 - 232:34
232:34 - 232:40

So if you want to see alerts, so
definitely, you can go to alerts
232:40 - 232:45

and see the alerts
that you have created.
232:45 - 232:47

So here, you can do
whatever operation
232:47 - 232:48

I was showing over there.
232:48 - 232:51

You can do it over here.
232:51 - 232:55

So severity means if you want to
see alerts, which is triggered
232:55 - 233:02

with this, this field.
233:02 - 233:07

You can go to this
page directly,
233:07 - 233:08

and you can see whatever.
233:08 - 233:12

If any alert has been triggered,
it will show it over here,
233:12 - 233:17

and you can check how it is
performing or how it is working.
233:17 - 233:20

And also, if
related to this, you
233:20 - 233:24

want to see any job activity,
so you can go to here
233:24 - 233:29

and see if any action
has been triggered.
233:29 - 233:35

In activity, you need to go to
an activity and trigger alerts.
233:35 - 233:40

If you know the detail about
it, you can see it over here.
233:40 - 233:41

OK.
233:41 - 233:44
233:44 - 233:46

So that's it about the video.
233:46 - 233:49

Let's have a quick
look on the summary.
233:49 - 233:50

So what is alert?
233:50 - 233:54

Alerts are based on
the saved search,
233:54 - 233:57

and that can be run
on regular interval
233:57 - 234:00

or it can be a real-time alert.
234:00 - 234:02

Alerts are triggered when
the results of search
234:02 - 234:05

meet a specific condition
that you define,
234:05 - 234:08

and based on your
need, alert can
234:08 - 234:12

create an entry in
triggered alert,
234:12 - 234:17

log event, output
result to lookup file,
234:17 - 234:21

send email, use webhook,
perform a custom action.
234:21 - 234:26

So we have talked about
how can we create alert.
234:26 - 234:29

So before that, you
need to know the query
234:29 - 234:32

on which you need to trigger
an alert and alert condition.
234:32 - 234:36

So you can create. similarly,
the alert, you can create,
234:36 - 234:43

go to Save As, and
you create an alert,
234:43 - 234:49

and define everything
over here, and save it.
234:49 - 234:54

And there, we have talked
about the permission alerts
234:54 - 234:58

and how can we schedule it.
234:58 - 235:01

And we have talked
about alert condition,
235:01 - 235:05

trigger condition on which
condition you can trigger.
235:05 - 235:11

We have talked about
once or for each result,
235:11 - 235:12

how can you trigger an alert.
235:12 - 235:18

And accordingly, we have
seen the throttle value,
235:18 - 235:24

how can we suppress the
unnecessary noise if you do not
235:24 - 235:25

want it.
235:25 - 235:29

And there are multiple events,
and multiple trigger actions
235:29 - 235:30

are there.
235:30 - 235:32

So these are the
trigger actions.
235:32 - 235:35

So I have chosen email one.
235:35 - 235:38

So also you can
choose a log event,
235:38 - 235:43

log event where you can give
a log event to a specific--
235:43 - 235:47

you need to put an event,
and you can ingest the data
235:47 - 235:50

in the index.
235:50 - 235:55

So this, by default,
it's going to index main.
235:55 - 235:58

Then you can define host
or source type or anything
235:58 - 235:59

you want to.
235:59 - 236:00

Here, you can define.
236:00 - 236:06

So there can be multiple
actions in one alert.
236:06 - 236:08

So you can define
multiple actions,
236:08 - 236:12

like see, log, and as
well as send email.
236:12 - 236:18

So once you finish
it, you just save.
236:18 - 236:25

And you can see this browser.
236:25 - 236:28

Where is it?
236:28 - 236:31

This browser, you can see
it, and here, all the details
236:31 - 236:33

about the alert is there.
236:33 - 236:36

And you can do all
the other operations,
236:36 - 236:40

and you can edit your alert.
236:40 - 236:44

If you want to see any
alerts triggered with you,
236:44 - 236:47

alert which you have
created, go to Trigger Alert.
236:47 - 236:49

From Activity, Trigger Alert.
236:49 - 236:55

Go over here, and you can see
you need to select the options.
236:55 - 236:57

And you can see whatever the
alert has been triggered.
236:57 - 237:01

So this is all
about the scheduling
237:01 - 237:04

alert and creating alerts,
and editing alerts.
237:04 - 237:08

So thanks for watching the
video and have a good day.
237:08 - 237:12

Title:: Full Course | Splunk Search and Reporting | All You Need To Know | Zero To Expert.
Description:: more » « less
Video Language:: English
Duration:: 03:57:12

OE Tech edited English subtitles for Full Course | Splunk Search and Reporting | All You Need To Know | Zero To Expert.

English subtitles

Revisions

Revision 1 Uploaded

OE Tech

Full Course | Splunk Search and Reporting | All You Need To Know | Zero To Expert.

Revisions

Our website uses cookies

Operating cookies (Required)