1
00:00:00,960 --> 00:00:03,180
That is with a first menu.

2
00:00:03,210 --> 00:00:04,710
The second is the format.

3
00:00:05,100 --> 00:00:06,440
One is the rule number.

4
00:00:06,450 --> 00:00:06,990
It is.

5
00:00:06,990 --> 00:00:09,210
Most of these are self-explanatory.

6
00:00:09,240 --> 00:00:11,850
If I click on no, the row numbers are off.

7
00:00:12,420 --> 00:00:19,500
As you can see, beginning stage, they don't seem to have any value or add any value during your analysis,

8
00:00:19,500 --> 00:00:26,280
but probably it might add value for a few of the people who want to keep track of this how many events

9
00:00:26,280 --> 00:00:27,660
have occurred during this window.

10
00:00:27,660 --> 00:00:31,020
But there are much better ways of fetching those information.

11
00:00:31,050 --> 00:00:32,460
That is row number.

12
00:00:32,550 --> 00:00:33,480
I'll disable it.

13
00:00:33,510 --> 00:00:34,970
There are results.

14
00:00:35,040 --> 00:00:36,330
It's self explanatory.

15
00:00:36,330 --> 00:00:39,870
Like it's like any text editor to wrap the logs or not.

16
00:00:39,880 --> 00:00:43,860
If the logs are too lengthier, it will be wrapped something like this.

17
00:00:44,350 --> 00:00:48,690
See, it has been wrapped into three lines, but still it is a single line event.

18
00:00:49,640 --> 00:00:52,490
To the max lines to display by default.

19
00:00:52,490 --> 00:00:53,420
It is violence.

20
00:00:53,420 --> 00:00:59,960
If you want, you can choose and at any time, if you are not able to see more than five lines, all

21
00:00:59,960 --> 00:01:06,140
you are to do is there will be a expand option here if you have larger events which are more than three

22
00:01:06,140 --> 00:01:08,810
lines as of now, we don't have any.

23
00:01:08,810 --> 00:01:10,400
So there will be a expand option here.

24
00:01:10,400 --> 00:01:12,320
You can expand to see the full event.

25
00:01:14,040 --> 00:01:15,120
Even drill down.

26
00:01:15,450 --> 00:01:18,360
There is something called full, inner and outer.

27
00:01:18,810 --> 00:01:21,930
You can choose how to drill down the events.

28
00:01:21,930 --> 00:01:23,520
It's like selecting these events.

29
00:01:23,520 --> 00:01:26,190
It is like if I click now, it will update.

30
00:01:26,190 --> 00:01:29,520
User is equal to admin in my search query.

31
00:01:29,610 --> 00:01:31,140
That is my full.

32
00:01:35,440 --> 00:01:36,430
Let's see here.

33
00:01:36,880 --> 00:01:39,190
It selects only individual fields.

34
00:01:43,670 --> 00:01:49,790
If I select full it selects the complete user is equal to admin wherever I move the cursor across until

35
00:01:49,790 --> 00:01:50,660
the next field.

36
00:01:51,800 --> 00:01:56,810
But whereas outer it is like wherever I click it selects the complete field.

37
00:01:58,970 --> 00:02:05,510
As you can see, if I put even in between the complete text, it selects the full one, whereas the

38
00:02:05,510 --> 00:02:13,640
full it selects the cursor from the place where I start until where I end in the next field.

39
00:02:14,780 --> 00:02:17,690
That is with this menu and a number of events to display.

40
00:02:17,720 --> 00:02:22,910
It will start from ten and it can increase up to 50 if you want to see more events in your.

41
00:02:23,870 --> 00:02:24,920
So speed.

42
00:02:25,780 --> 00:02:31,080
And if you come to our left fields, you can see there are two columns.

43
00:02:31,090 --> 00:02:32,500
One is hide fields.

44
00:02:32,500 --> 00:02:39,310
It can hide and give you more space to view the events and show fields which will pop it back again.

45
00:02:39,550 --> 00:02:43,440
So there are all fields which leads to all the extracted fields.

46
00:02:43,450 --> 00:02:50,620
And sometimes if you are not able to find your field in this, make sure you are selecting all fields

47
00:02:50,620 --> 00:02:59,230
because 1% of the values or the presents in the logs, let's say I'm having 100 events and my field

48
00:02:59,230 --> 00:03:00,370
is in just one event.

49
00:03:00,640 --> 00:03:05,800
It will be hidden from this so that you need to make sure you select all fields to even identify those

50
00:03:05,800 --> 00:03:07,120
1% of the fields.

51
00:03:08,300 --> 00:03:09,820
There are two columns in this.

52
00:03:09,830 --> 00:03:13,250
One is selected fields and interesting fields.

53
00:03:13,250 --> 00:03:17,150
The selected fields, as we discussed it, will be displayed right under your events.

54
00:03:17,150 --> 00:03:25,520
In the list view of the events and the interesting fields are the auto extracted or manually extracted

55
00:03:25,520 --> 00:03:33,860
fields from the Splunk Admin or Splunk RTT to designing this and extracted this information and made

56
00:03:33,860 --> 00:03:34,640
it available.

57
00:03:35,420 --> 00:03:39,620
These interesting fields are extracted from the logs and Splunk.

58
00:03:40,690 --> 00:03:47,710
As auto extracted as of now these logs and you can make them make them as selected field by clicking

59
00:03:47,710 --> 00:03:49,090
on this link.

60
00:03:50,010 --> 00:03:57,960
One more key piece of information is you can see on the field's left side, there is something named

61
00:03:57,960 --> 00:04:00,150
as a asterisks.

62
00:04:00,940 --> 00:04:05,440
It's not Asterix upon Tyne and Asterix.

63
00:04:05,920 --> 00:04:08,470
On the right side, there are numerical numbers.

64
00:04:08,500 --> 00:04:11,140
What it represents is if you see an A.

65
00:04:12,560 --> 00:04:16,870
It is represents the field value is the alpha numeric value.

66
00:04:16,880 --> 00:04:20,060
That means it contains a number and alphabets.

67
00:04:20,060 --> 00:04:25,690
Whenever you see alpha right next to the field, it is represented or it is understandable that it is

68
00:04:25,690 --> 00:04:26,840
the alpha numerical value.

69
00:04:26,840 --> 00:04:29,930
If you see source, type this audit trail here it says.

70
00:04:31,330 --> 00:04:32,820
Just alphabetical value.

71
00:04:32,830 --> 00:04:36,190
But even if you have a number, it works.

72
00:04:36,190 --> 00:04:40,910
So that is one way of saying that it can handle alphanumeric values.

73
00:04:40,930 --> 00:04:41,950
Similarly source.

74
00:04:41,980 --> 00:04:49,000
Similarly Host Host probably might be the best example here because it has the numbers along with Alpha

75
00:04:49,630 --> 00:04:52,330
Alphabet, which are as part of the host name.

76
00:04:52,600 --> 00:05:01,410
If you see some other fails like date underscore time, M, de and R, these are numeric values that

77
00:05:01,420 --> 00:05:06,050
these fields will never have alphabetical values by the name.

78
00:05:06,070 --> 00:05:08,020
It is clear that these are the date fields.

79
00:05:08,020 --> 00:05:12,910
But to understand what this s symbol or.

80
00:05:14,570 --> 00:05:21,680
Alpha numeric symbol means this represents the acceptable field values that it can handle.

81
00:05:22,430 --> 00:05:25,850
On the right side, there is some digits that are represented.

82
00:05:25,880 --> 00:05:28,130
These represent unique values.

83
00:05:28,170 --> 00:05:30,090
Can say data underscore second.

84
00:05:30,110 --> 00:05:32,200
That means it has 60 values.

85
00:05:32,210 --> 00:05:37,190
Of course, each meaning to 60 seconds starts from 0 to 59.

86
00:05:37,190 --> 00:05:43,550
So it has 60 unique values and it is present in almost all the events that will be part of all the events

87
00:05:43,550 --> 00:05:47,210
that says its it is existing in 100% of the event.

88
00:05:48,450 --> 00:05:56,340
From this field's menu, you'll get feel, name and distinct values and the percentage coverage of events

89
00:05:56,340 --> 00:05:59,430
that are we got from our search results.

90
00:06:01,440 --> 00:06:07,770
We'll see the reports menu where it shows the quick options to create visualization.

91
00:06:07,770 --> 00:06:10,440
Let me say top values of the second.

92
00:06:11,400 --> 00:06:14,100
It will give me automatic visualization.

93
00:06:14,310 --> 00:06:17,950
See, by default it is saying to use a bar chart.

94
00:06:17,970 --> 00:06:21,510
If you click on bar chart, you'll get other recommended views.

95
00:06:21,750 --> 00:06:22,530
If you look.

96
00:06:23,540 --> 00:06:24,940
Either visualization.

97
00:06:24,950 --> 00:06:29,600
If it fits you can use what always stick with the recommendation for a better.

98
00:06:30,930 --> 00:06:36,480
Presentation because it already knows what kind of data is available for presenting, so it shows probably

99
00:06:36,480 --> 00:06:38,270
the best values to display.

100
00:06:38,280 --> 00:06:40,860
These are some of the options.

101
00:06:41,530 --> 00:06:46,630
Which you can pick out from the Splunk Web interface.

102
00:06:48,690 --> 00:06:54,990
As I already informed, you'll be getting access to Splunk demo session as a part of the complete package

103
00:06:54,990 --> 00:06:57,510
purchase of this tutorials.

104
00:06:58,110 --> 00:07:02,910
Try to get into the package deal and you'll have access to 30 days.

105
00:07:02,910 --> 00:07:04,770
You can play around with your instance.

106
00:07:04,770 --> 00:07:06,570
You'll have kind of dedicated instance.

107
00:07:06,570 --> 00:07:12,120
You can search, create visualization, create alerts, report all this stuff, and you can probably

108
00:07:12,120 --> 00:07:13,200
even practice your.

109
00:07:14,650 --> 00:07:15,790
Search queries.