top of page
Splunk Training Provider Authorised Learning Partner Australia

Advanced Searching and Reporting - Legacy Course Information

The Advanced Searching and Reporting course focuses on more advanced search and reporting commands. Scenario-based examples and hands-on challenges enable users to create robust searches, reports, and charts. Students are coached step by step through complex searches to produce final results. 

​

Major topics include optimizing searches, additional charting commands and functions, formatting and calculating results, correlating events, and using combined searches and sub-searches.

​

This Advanced Searching and Reporting Splunk Courses have been replaced by shorter Splunk single-subject course modules, this page have been retained to assist customers.

 

To see which courses have replaced Advanced Searching and Reporting and book the equivalent course click here Single-subject to Multi-subject course mapping.

 

Alternatively contact one of our Training Consultants on 1300 245 802 or email sales@ingeniq.com.au 

​

Advanced Searching and Reporting - Legacy Course Information

Extremely proficient at controlling the pace of training. Great explanation of answers & not just reading the content. Very knowledgeable about all content. Looking forward to completing the rest of the of the class.

Highly recommended.

Participant, Splunk Enterprise Data Administration

Advanced Searching and Reporting - Legacy Course Information
Advanced Searching and Reporting - Course Topics

  • Using Search Efficiently

  • More Search Tuning

  • Manipulating and Filtering Data

  • Working with Multivalue Fields

  • Using Advanced Transactions

  • Working with Time

  • Combining Searches

  • Using Subsearches

Class Format

Instructor-led lecture with labs. Delivered via virtual classroom or at your site

Course Prerequisites

Splunk Fundamentals 1

Splunk Fundamentals 2

Splunk Fundamentals 3

Highly recommend 6 months experience with the Splunk search language

​

Related Certifications

Splunk Core Certified Advanced Power User
Splunk Core Certified Consultant

Advanced Searching and Reporting - Audience

Anyone within a technical role who needs to utilise more complex searches or reports or are looking to become Splunk certified.

Previous attendees have included Consultants, IT Administrators, Data Scientists, Security and Risk Professionals and Solution Architects.

After completing Advanced Searching and Reporting course you will be able to

  • Extend your basic search language knowledge

  • Understand and use sub-searches

  • Create advanced visualisations using extended search language

  • Identify events before or after events

  • Use advanced lookups

  • Understand and be able to use the DB Connect App

Advanced Searching and Reporting - Legacy Course Information
Advanced Searching and Reporting - Course Objectives

Module 1 – Using Search Efficiently

  • Review search architecture

  • Understand how the components of a bucket (.tsidx an djournal.gz files) are used

  • How bloom filters are used to improve search speed

  • Describe the parts of a search string

  • Understand the use of centralized vs. distributable commands

  • Create better searches

Module 2 – More Search Tuning

  • Understand how segmenters are used in Splunk

  • Use lispy to reduce the number of events read from disk

Module 3 - Manipulating and Filtering Data

  • Divide search results into different groups, based on values in a specified field, using the bin command

  • Regroup fields of search results using untable and xyseries

  • Create a template for performing additional processing on a set of related fields using foreach

Module 4 - Working with Multivalue Fields

  • Use multivalue eval functions to analyze and format data

  • Use the makemv command to convert a single value into a multivalue field

  • Use the mvexpand command to create separate events for each value in a multivalue field

Module 5 - Using Advanced Transactions

  • Find events logged before or after a particular event occurs

  • Compare complete vs. incomplete transactions

  • Analyze Transactions

​

Module 6 – Working with Time

  • Use time modifiers

  • Search for events using custom time ranges and time windows

  • Display and use using relative dates

  • Use custom time ranges in multiple subsearches

Module 7 – Combining Searches

  • Use the append and appendcols commands (and know the differences)

  • Use join and union (and when not to use them)

Module 8 –  Using Subsearches

  • Use subsearches to provide filtering and other information to the main search

  • Know when NOT to use subsearches

  • Troubleshoot subsearches

Module 9– Some Extra Tips

  • Describe the use of regular expressions

  • Provide some guidance on using lookups

  • Provide miscellaneous optimization tips

​

Splunk Course Schedules and Timezones

Ingeniq Course are delivered live and in English and provide access to customers spanning multiple timezones.

​

Dates and times displayed for each course are relative to Australian Eastern Time (AET).

​

​

AM Marked Splunk Courses

AM marked courses start at AET 9:00am and finish at AET 1:30pm and are optimal for customers in the following countries and areas;

​

  • UTC+10 including Australia (East Coast)

  • UCT+11/+12 including New Zealand and the Pacific Islands

  • UTC-8 including USA (West Coast), Canada (West Coast)

  • UTC-7 including USA (Mid West)

PM Marked Splunk Courses

PM marked courses usually starts at AEDT 12:00pm or AEST 11:00 am and are optimal for customers in the following countries and areas;

​

  • UTC+10 including Australia (East Coast)

  • UCT+11/+12 including New Zealand and the Pacific Islands

  • UTC-8 including USA (West Coast), Canada (West Coast)

  • UTC-7 including USA (Mid West)

bottom of page