Tag: Splunk Search

Splunk | Search Under the Hood

Posted on by HQW

In Search there are certain commands like each other but have unique functionality.

SEARCH JOB INSPECTOR – trouble shooting the searches.

EXECUTION COSTS – Based on the more time the search time, more the components.

Comments in general used to make a note of what eh search code is intended to be executed as ”’is a sample comment”’

Indexer vs Search head, Splunk uses bloom to find the search terms

Search head is for the centralized streaming and transforming commands

Transforming commands – time charts, stats, chart, top, Rare

Centralized– is made in search head – stateful Streaming commands

Distributable streaming command- eval- executes on indexer

Notes: Rename- distributive-streaming command | Rename to added before stats

Search tokens- event tokens from Segmentation – affect search performances, either improve or not.

Major breakers – Space-new line-carriage return, Comma, exclamation mark

Minor breakers – Symbols like:

Searches– tokens-> Search in address- click search log

Splunk uses lispy expressions to create bloom filters.

AND OR NOT

Hot bucket- stores data as it arrives

Warm bucket- Read only then cold then

Frozen bucket – deletion and archiving

Bucket– journal has the raw data, and the tsi (timeStamp index) file – index keys to journal file has a unique lexicon

  1. Which of the following commands generates temporary search results? make results
  2. Where should the make results command be placed in the search? In the beginning of the search
  3. Which if the following command signified the comment in spl? ”’triple single quotes”’
  4. Where are comments to be placed in the Search? comment can be placed anywhere – in the search
  5. Which component of the search job Inspector shows how long a search took to execute? Header
  6. When is a bucket bloom filter created? When the bucket changes from hot to warm
  7. Which architectural component of a Splunk deployment initiates a search? initiates in Search head – sent to indexer peers!
  8. Which component of a bucket stores raw event data? Journal
  9. Where in the search pipeline are the transforming commands executed? Search head
  10. If a search begins with a distributable streaming command, where is it first executed? indexer– if search head then
  11. After the Splunk tokenizes terms at the index time, where are the tokens stored? tsidx files
  12. Which of the following breakers would be used first in segmentation? major breakers – spaces, new lines, carriage returns, tabs, [],  ! , commas?
  13. Which of the following expressions builds a search-time bloom filter? lispy
  14. Which of the following could cause a lispy expression to not create tokens? wild card in beginning
  15. Which directive is used in a search to bypass minor breakers inside the supplied argument? lispy?\:/-$ — term