1
00:00:00,090 --> 00:00:06,150
The pause on the stop menu can be used only during the searches running, and it is self-explanatory

2
00:00:06,150 --> 00:00:08,190
to pause the search, to stop the search.

3
00:00:08,580 --> 00:00:12,000
So there is a print option to print the entire web page.

4
00:00:12,030 --> 00:00:16,950
There is an export option which by default has CSV, XML and JSON.

5
00:00:17,100 --> 00:00:19,380
And also you can export the raw events.

6
00:00:19,410 --> 00:00:21,120
That is nothing but your log file.

7
00:00:21,150 --> 00:00:22,590
You can export it from here.

8
00:00:23,100 --> 00:00:31,470
When you export all the events that are matching like 3000 plus events in the last 16 minutes from only

9
00:00:31,470 --> 00:00:32,460
this filter.

10
00:00:32,940 --> 00:00:37,750
When I say filter, we are just looking for Splunk internal audit logs.

11
00:00:37,770 --> 00:00:40,920
If you want to see this log, you cannot export it from here.

12
00:00:40,920 --> 00:00:47,250
We'll see how we can narrow down, how we can change our search to do a targeted charge to fetch the

13
00:00:47,250 --> 00:00:48,600
information, what we need.

14
00:00:48,630 --> 00:00:54,170
Then you should click on export and if you click on Raw Event, you'll get the actual log files.

15
00:00:54,180 --> 00:01:00,510
If you get CSV, you'll get a good past the content of your logs specifying each field and its value

16
00:01:00,750 --> 00:01:02,280
XML and JSON.

17
00:01:02,280 --> 00:01:05,610
It will be in there specific values.

18
00:01:06,000 --> 00:01:12,990
The next menu is one of the important that is smart, fast and verbose mode.

19
00:01:13,140 --> 00:01:18,360
To differentiate them, there is a small description that is specified there.

20
00:01:18,390 --> 00:01:25,410
You can go through that probably when you get an access to the Splunk instance as part of this complete

21
00:01:25,410 --> 00:01:25,920
package.

22
00:01:25,920 --> 00:01:29,070
Course, it is nothing but the fast.

23
00:01:29,850 --> 00:01:34,350
It's the fastest, the smartest, the smartest, and the verbose is the dumbest.

24
00:01:34,680 --> 00:01:36,300
It's like the first.

25
00:01:36,330 --> 00:01:39,930
What it does is it extracts only minimum required fields.

26
00:01:40,820 --> 00:01:42,750
Or only necessary feels.

27
00:01:42,770 --> 00:01:43,750
Let us see.

28
00:01:43,780 --> 00:01:46,030
We ran the last 60 minute search.

29
00:01:46,040 --> 00:01:47,810
Let us run for the fast mode.

30
00:01:48,850 --> 00:01:49,800
And let us see.

31
00:01:49,810 --> 00:01:50,890
How does this look?

32
00:01:52,950 --> 00:01:53,880
First.

33
00:01:53,910 --> 00:01:59,610
The main difference is here we have three interesting fields, three selected fields.

34
00:02:00,060 --> 00:02:05,010
And the first, let's see in how much time this job was completed.

35
00:02:05,610 --> 00:02:13,560
You can see that by clicking on Job, edit, inspect job, you'll be able to see that it was completed

36
00:02:13,560 --> 00:02:15,120
in point 4 seconds.

37
00:02:15,120 --> 00:02:18,270
That was for last 60 minutes in fast mode.

38
00:02:18,300 --> 00:02:19,980
Let's go to smart mode.

39
00:02:21,530 --> 00:02:31,370
Smart mode is like the smarter one which gets the information which is needed.

40
00:02:31,370 --> 00:02:35,950
Like if I write a query to get the raw events, it will show me the raw events.

41
00:02:35,960 --> 00:02:41,810
If I write a query to display a visualization or a chart, it displays only the chart.

42
00:02:41,840 --> 00:02:44,000
It doesn't display my raw events.

43
00:02:44,000 --> 00:02:45,630
That is how the smart mode works.

44
00:02:45,650 --> 00:02:49,080
It just gives you the information what you need in this smart mode.

45
00:02:49,100 --> 00:02:56,120
You can see there are a lot, many, many more fields which says these are interesting fields and it

46
00:02:56,120 --> 00:02:57,050
will be useful.

47
00:02:57,080 --> 00:02:58,580
Smart mode as expected.

48
00:02:58,580 --> 00:02:59,840
It automatically.

49
00:03:01,620 --> 00:03:03,990
And this smart mode.

50
00:03:03,990 --> 00:03:10,200
Let us see how much time it has taken to run our previous search.

51
00:03:10,200 --> 00:03:13,470
That is the fast mode to current point four.

52
00:03:13,500 --> 00:03:14,880
This took our on point three.

53
00:03:14,880 --> 00:03:16,170
This was fastest.

54
00:03:17,760 --> 00:03:18,990
How can that be?

55
00:03:21,240 --> 00:03:23,820
The first mode ran again.

56
00:03:23,820 --> 00:03:24,960
Let me search again.

57
00:03:28,740 --> 00:03:33,180
See the first mode took around .3.2 3 seconds.

58
00:03:34,410 --> 00:03:38,170
Our smart mode, it basically refreshes from the cache.

59
00:03:38,310 --> 00:03:41,100
That's the reason from the fast mode to smart mode.

60
00:03:41,580 --> 00:03:43,680
It showed as it was less.

61
00:03:45,510 --> 00:03:46,980
So let us see.

62
00:03:47,160 --> 00:03:57,150
This would have taken much greater than what fast more took this 2.38 whereas fast more 2.2 3 seconds.

63
00:03:57,630 --> 00:04:01,760
But if I run the same search in verbose mode, it will take even longer.

64
00:04:01,770 --> 00:04:02,460
It will add.

65
00:04:02,700 --> 00:04:08,190
It will try to add more information, get more meta information and field information to the logs.

66
00:04:08,430 --> 00:04:14,250
And since we are running the same search over and over again, most of them will be stored from Splunk

67
00:04:14,250 --> 00:04:19,440
Cache and as you can see, our verbose mode.

68
00:04:20,630 --> 00:04:27,980
Which took point 4 seconds when you compared to fast it was 0.23 when we compared to smart it was 0.38.

69
00:04:27,980 --> 00:04:30,560
And when you compare to Verbose, it is 0.4.

70
00:04:30,590 --> 00:04:35,690
This is okay for running a 60 minute search, but imagine if you are running a search for three months.

71
00:04:35,690 --> 00:04:38,960
The verbose mode will run for like ever.

72
00:04:39,020 --> 00:04:45,890
As a Splunk admin, you should make sure that verbose mode is absolutely not used and it is only used

73
00:04:45,890 --> 00:04:48,410
whenever there is a real need for using it.

74
00:04:48,500 --> 00:04:52,520
Most of the time you'll be able to get your job done by your smart mode.

75
00:04:52,910 --> 00:04:53,420
We'll see.

76
00:04:53,420 --> 00:04:55,610
One more example for smart mode.

77
00:04:55,640 --> 00:04:57,950
Let's say I have a field called Action.

78
00:04:57,950 --> 00:05:01,010
Here, I'll click on the top values.

79
00:05:01,920 --> 00:05:02,260
I'll.

80
00:05:02,430 --> 00:05:07,230
My search query is auto updated and the search is running now.

81
00:05:07,230 --> 00:05:12,750
It automatically populated visualization, which shows top 20 values by default.

82
00:05:12,870 --> 00:05:14,960
Here I am running it on sport mode.

83
00:05:14,970 --> 00:05:18,090
If I go back to events, I can't see any event.

84
00:05:18,120 --> 00:05:22,070
It clearly says you didn't run this in verbose mode.

85
00:05:22,080 --> 00:05:28,050
If you want to see the events along with your chart, you need to run in verbose mode, running and

86
00:05:28,050 --> 00:05:28,820
verbose more.

87
00:05:28,830 --> 00:05:32,130
It's like performing heavy duty on your Splunk.

88
00:05:32,220 --> 00:05:34,050
It will just kill your resources.

89
00:05:34,050 --> 00:05:38,280
So make sure verbose mode is used whenever it is necessary.