Search Under the Hood

Duration : 2 Days (16 Hours)

Search Under the Hood Course Overview:

This course provides students with a deeper understanding of Splunk’s search processing. Topics include Splunk architecture, the breakdown and distribution of search components across the pipeline, and troubleshooting techniques for searches that yield unexpected results.

Intended Audience:

  • IT professionals and administrators responsible for managing Splunk deployments
  • Splunk power users and analysts seeking to enhance their troubleshooting skills
  • System architects and engineers involved in Splunk architecture and performance optimization
  • Those tasked with diagnosing and resolving issues related to Splunk searches and data processing

Learning Objectives of Search Under the Hood:

  • Understanding Splunk architecture
  • Understanding how search terms are tokenized
  • Using streaming and non-streaming commands
  • Using troubleshooting commands and functions

Topic 1 – Investigating Searches

  • Utilizing the Search Job Inspector to analyze search processing and troubleshoot performance
  • Applying SPL (Splunk Processing Language) commenting to identify and isolate issues

Topic 2 – Splunk Architecture

  • Understanding the roles of search heads, indexers, and forwarders within a Splunk deployment
  • Examining the function of components in a bucket, including .tsidx and journal.gz files
  • Exploring the use of bloom filters to enhance search speed

Topic 3 – Streaming and Non-Streaming Commands

  • Describing the components of a search string
  • Differentiating between centralized and distributable commands
  • Crafting more efficient searches

Topic 4 – Breakers and Segmentation

  • Understanding the role of segmenters in Splunk
  • Implementing lispy to reduce the number of events read from disk

Topic 5 – Commands and Functions for Troubleshooting

  • Leveraging commands such as fieldsummary and makeresults for troubleshooting
  • Utilizing informational functions in conjunction with the eval command, including isnull and typeof functions

Search Under the Hood Course Prerequisites:

Intro to Splunk eLearning course


Discover the perfect fit for your learning journey

Choose Learning Modality

Live Online

  • Convenience
  • Cost-effective
  • Self-paced learning
  • Scalability


  • Interaction and collaboration
  • Networking opportunities
  • Real-time feedback
  • Personal attention


  • Familiar environment
  • Confidentiality
  • Team building
  • Immediate application

Training Exclusives

This course comes with following benefits:

  • Practice Labs.
  • Get Trained by Certified Trainers.
  • Access to the recordings of your class sessions for 90 days.
  • Digital courseware
  • Experience 24*7 learner support.

Got more questions? We’re all ears and ready to assist!

Request More Details

Please enable JavaScript in your browser to complete this form.

Subscribe to our Newsletter

Please enable JavaScript in your browser to complete this form.