1
00:00:04,020 --> 00:00:05,310
In the previous video.

2
00:00:05,340 --> 00:00:08,100
We are going through complete UI of Splunk.

3
00:00:08,130 --> 00:00:12,870
Now let's understand how Splunk search works before searching.

4
00:00:12,900 --> 00:00:19,410
Keep in mind, never ever use all type unless there is a real need to do so.

5
00:00:20,110 --> 00:00:26,470
Because if you use an old time search, it just kills us blank resources.

6
00:00:26,500 --> 00:00:33,820
If we choose all time, it just search for the data that is available on the Splunk for from the time

7
00:00:33,820 --> 00:00:38,470
of its implementation or probably even beyond that, if we have index the older data.

8
00:00:39,040 --> 00:00:46,090
So it just kills the resources like CPU and the RAM on the search and puts a heavy load on your index

9
00:00:46,090 --> 00:00:53,050
because it's searches for a longer duration just to make sure use all time only when there is a real

10
00:00:53,050 --> 00:00:53,440
need.

11
00:00:53,560 --> 00:00:58,390
I'll perform some of the basic search for Splunk on internal audit logs.

12
00:00:59,740 --> 00:01:03,010
I'll keep it for the last 16 minutes and.

13
00:01:03,990 --> 00:01:09,960
Index called underscore audit is where all the internal logs of Splunk are stored.

14
00:01:09,990 --> 00:01:14,460
I'll just type index is called to underscore audit and it enter.

15
00:01:17,530 --> 00:01:23,920
As soon as I hit enter, I got 4000 plus events for the last one hour.

16
00:01:24,100 --> 00:01:28,450
This means there were these many events were generated during the last 60 minutes.

17
00:01:28,480 --> 00:01:33,340
You can also refer to this from which time to which time it is referring.

18
00:01:34,570 --> 00:01:40,210
60 Minutes window from present to the last 60 Minutes.

19
00:01:41,590 --> 00:01:47,350
Now I have narrowed down my search to just search for indexes equal to audit.

20
00:01:48,460 --> 00:01:50,830
In Splunk, the free form search.

21
00:01:50,830 --> 00:01:55,390
I need to search for an error so I enter errors.

22
00:01:55,930 --> 00:01:59,800
It will display me all the errors in the last 16 minutes.

23
00:01:59,830 --> 00:02:02,080
As of now, there is nothing found.

24
00:02:02,260 --> 00:02:03,700
The last 60 minutes.

25
00:02:03,730 --> 00:02:07,090
Let me run for the last 24 hours.

26
00:02:08,740 --> 00:02:11,530
In last 24 hours, there was one error.

27
00:02:12,190 --> 00:02:17,470
It exactly matches my the free form search or the keyword search, which I perform.

28
00:02:17,890 --> 00:02:20,600
You can also use wild card searches.

29
00:02:20,620 --> 00:02:21,520
Let's say.

30
00:02:22,320 --> 00:02:25,220
Yara star at reports.

31
00:02:25,220 --> 00:02:28,010
Anything that matches with Earth Star.

32
00:02:28,250 --> 00:02:32,370
As you can see, there is one Earth Star and one error.

33
00:02:32,390 --> 00:02:34,670
These are basically the searches that I'm running.

34
00:02:34,670 --> 00:02:39,380
It is auditing the searches that it keeps track of the searches.

35
00:02:39,980 --> 00:02:45,350
So in the last 24 hours, we have three events that are matching starting from Earth.

36
00:02:45,380 --> 00:02:46,770
That is a wildcard search.

37
00:02:46,790 --> 00:02:51,560
Let me search for capital e r this error.

38
00:02:51,590 --> 00:02:58,970
What it does is in the free form, search splunk is case insensitive capital error or small case error.

39
00:02:59,000 --> 00:03:00,380
They both mean the same.

40
00:03:01,340 --> 00:03:05,990
It gives me the same results which are matching error keyword but.

41
00:03:07,500 --> 00:03:09,450
If you use quotes.

42
00:03:10,870 --> 00:03:16,930
Or if you use a field name in capital, it always refers to the code names.

43
00:03:18,510 --> 00:03:19,140
Here.

44
00:03:19,140 --> 00:03:25,410
Even with the codes, the error is still finds me all the same results.

45
00:03:25,650 --> 00:03:26,970
Let me search.

46
00:03:27,950 --> 00:03:29,450
By selecting a field.

47
00:03:29,480 --> 00:03:34,370
Al search action is equal to search in last 24 hours.

48
00:03:34,820 --> 00:03:40,490
So we got four events that are matching action is equal to search in the last 24 hours.

49
00:03:40,820 --> 00:03:43,250
What will happen if I search for.

50
00:03:44,460 --> 00:03:45,600
Capital action.

51
00:03:47,960 --> 00:03:49,910
Let me filter my search.

52
00:03:49,940 --> 00:03:56,960
Now my search is I'm searching for a field called action with the upper case and value is search.

53
00:03:57,080 --> 00:04:02,480
This will be probably one of your question when you're taking certification for Splunk power user or

54
00:04:02,480 --> 00:04:03,500
Splunk user.

55
00:04:03,530 --> 00:04:08,630
Make sure you understand the capital case that is mentioned for the field.

56
00:04:08,900 --> 00:04:16,850
It says the results were not found, but we saw there was a field named action, but it is with a smaller

57
00:04:16,850 --> 00:04:17,440
case.

58
00:04:17,480 --> 00:04:23,030
So this shows that field names are case sensitive.

59
00:04:23,090 --> 00:04:27,440
The field names should be typed as it is if it starts from capital.

60
00:04:27,740 --> 00:04:29,160
It should be with capital.

61
00:04:29,480 --> 00:04:32,300
If it all small, you should type all of it small.

62
00:04:32,600 --> 00:04:39,590
As you see now, we are searching with small case action and we got eight, eight, eight events matching

63
00:04:39,590 --> 00:04:40,520
our search query.

64
00:04:40,550 --> 00:04:46,400
Let's see what happens if I change the value of the field to capital case.

65
00:04:47,520 --> 00:04:50,460
This is a guaranteed questions.

66
00:04:50,460 --> 00:04:56,220
When you are taking a Splunk power user or Splunk user certification, you'll get this question.

67
00:04:56,220 --> 00:05:02,070
What they will give you an example like action is equal to search one in small and one in caps, and

68
00:05:02,070 --> 00:05:05,550
they will say whether the boot returns the same result.

69
00:05:05,550 --> 00:05:06,690
Is it true or false?

70
00:05:06,720 --> 00:05:07,920
Of course it is false.

71
00:05:07,920 --> 00:05:11,150
Just now we have seen that capital field names.

72
00:05:12,210 --> 00:05:18,810
Are different than the smaller case freedoms, whereas the values represent the same.

73
00:05:19,710 --> 00:05:21,770
Even they will give it with quotes.

74
00:05:21,780 --> 00:05:24,760
We have even validated that scenario that if it quotes.

75
00:05:24,780 --> 00:05:32,670
Also it will not look for kids sensitive values but whereas feels they are case sensitive.