1
00:00:02,460 --> 00:00:09,390
In our previous lecture, we have gone through the Splunk top menu and all the links in the in those

2
00:00:09,390 --> 00:00:09,810
menu.

3
00:00:09,930 --> 00:00:17,340
Now let's get inside an app and let's see how the app menu and other features look like.

4
00:00:18,590 --> 00:00:26,570
I'll be using search and reporting app, which is the default app and it has five different menus in

5
00:00:26,570 --> 00:00:34,040
which search is a are default menu so that as soon as we click the app, we are landed on the search

6
00:00:34,040 --> 00:00:34,850
menu page.

7
00:00:35,970 --> 00:00:42,380
There are other menus like data sets, reports, alerts and dashboards.

8
00:00:42,390 --> 00:00:49,590
In this case, we'll be going through a complete walk through of search menu and brief about all other

9
00:00:49,590 --> 00:00:50,220
menus.

10
00:00:51,180 --> 00:00:58,530
Let's come to the search, meaning in the last the data set, which was previously known as the pivot.

11
00:00:59,880 --> 00:01:08,970
It is used as a typical pivot function in Excel where you can build visualization just by clicking and

12
00:01:08,970 --> 00:01:11,580
selection of pivot or data sets.

13
00:01:14,490 --> 00:01:14,790
Here.

14
00:01:14,790 --> 00:01:20,140
For example, I have one data set calling Splunk internal server log.

15
00:01:20,160 --> 00:01:26,910
Since this is a new instance, we should be able to see if we have any event related to our internal

16
00:01:26,910 --> 00:01:27,420
logs.

17
00:01:31,640 --> 00:01:32,180
Okay.

18
00:01:32,210 --> 00:01:37,310
We do have some of the events related to internal logs.

19
00:01:37,310 --> 00:01:38,330
In the left side.

20
00:01:38,330 --> 00:01:42,050
You can see there are a lot of visualization features.

21
00:01:42,050 --> 00:01:45,170
If we click on them, it will automatically pop up.

22
00:01:46,860 --> 00:01:54,810
Any kind of visualization will be going through brief and for this tutorial purposes very briefly about

23
00:01:54,810 --> 00:01:55,200
this.

24
00:01:55,200 --> 00:02:03,000
But in the future we'll be going through how to create a new pivot, how to visualize, how to customize,

25
00:02:03,000 --> 00:02:11,520
how to add it to your dashboard, how to add or use it pivot commands and report this kind of features.

26
00:02:11,520 --> 00:02:20,070
But for now, I think it has a simple Excel pivot where you can visualize data without writing any queries.

27
00:02:22,040 --> 00:02:22,840
Moving on.

28
00:02:22,850 --> 00:02:30,770
The next menu is to report alerts and dashboard tabs are self-explanatory, which are used to search,

29
00:02:30,770 --> 00:02:37,730
create or manage a report or even accelerate a report or dashboard respectively.

30
00:02:38,840 --> 00:02:39,410
Now.

31
00:02:41,010 --> 00:02:49,080
Let's continue with our search menu, which is the most important and most informative menu in any app.

32
00:02:52,200 --> 00:02:53,370
The search bar.

33
00:02:53,400 --> 00:03:00,300
This is known as the search bar, the white rectangle just below the search term where you write your

34
00:03:00,300 --> 00:03:05,130
queries based on custom condition to pick the needle from the haystack.

35
00:03:05,160 --> 00:03:10,800
This is where you'll be writing all your queries to fetch the data, probably from millions or billions

36
00:03:10,800 --> 00:03:14,610
of events that the organization is generating every day.

37
00:03:15,450 --> 00:03:21,780
And right next to this search bar, there is a time selector which is by default, set to last 24 hours,

38
00:03:21,780 --> 00:03:24,060
and it is completely customizable.

39
00:03:24,060 --> 00:03:30,600
And these are some of the preset conditions which are commonly used during searching and next to the.

40
00:03:31,400 --> 00:03:32,330
Time selector.

41
00:03:32,360 --> 00:03:34,040
This is known as the time selector.

42
00:03:34,040 --> 00:03:40,790
Next to the time selector there is a search icon so that once you choose the time you can click search

43
00:03:40,790 --> 00:03:46,370
so that it starts searching or even enter key can start the search.

44
00:03:47,560 --> 00:03:50,890
Let's search something pretty basic.

45
00:03:50,890 --> 00:03:52,090
I'll search for.

46
00:03:53,280 --> 00:03:56,250
Splunk audit logs for the last 60 minutes.

47
00:03:57,840 --> 00:03:59,700
Welcome to writing a search query.

48
00:03:59,700 --> 00:04:03,780
And what does that mean in the later part of our tutorials?

49
00:04:04,650 --> 00:04:11,310
As soon as I hit enter the complete bottom screen just below the search bar has been completely changed.

50
00:04:12,120 --> 00:04:18,900
Once we kicked off our search, hitting enter key and typing index is equal to underscore audit, which

51
00:04:18,900 --> 00:04:26,070
is nothing but saying search to search its local audit trail or audit logs.

52
00:04:26,670 --> 00:04:32,700
Just below this, there is some message display saying from this time to this time, which is nothing

53
00:04:32,700 --> 00:04:40,830
but our last 60 minutes, there were 3000 events and there were no events sampling the event sampling

54
00:04:40,830 --> 00:04:47,130
is basically used for predicting a trend and we can set a sample like how much samples to use.

55
00:04:47,250 --> 00:04:54,870
And there is a job function which is used to edit these jobs whether to expire or who can view this

56
00:04:54,870 --> 00:04:57,800
job, whether for yourself or everybody.

57
00:04:58,140 --> 00:05:02,370
This link can be seeing or using this job.

58
00:05:02,610 --> 00:05:05,580
There is a lifetime which you can specify by default.

59
00:05:05,580 --> 00:05:07,710
I believe it's 10 minutes.

60
00:05:07,950 --> 00:05:13,350
You can set it to seven days, whereas if you share this job by default, it will be kept for seven

61
00:05:13,350 --> 00:05:13,650
days.

62
00:05:13,650 --> 00:05:14,990
So that is one more option.

63
00:05:15,000 --> 00:05:21,690
The inspect job whenever your query is throwing some errors or performance is very slow.

64
00:05:21,690 --> 00:05:25,220
The search returns take very long time to respond.

65
00:05:25,230 --> 00:05:29,310
This job inspector will help you to troubleshoot such kind of issues.

66
00:05:29,310 --> 00:05:36,210
The delete your is just to make sure kind of erase this from the Splunk cache so that even if you read

67
00:05:36,210 --> 00:05:37,980
on the search, it will start from the scratch.

68
00:05:37,980 --> 00:05:40,080
It doesn't pop up as it is.

69
00:05:41,010 --> 00:05:42,300
That is with this menu.