Splunk contains tons of information, it can be daunting. Here are some tips to make the information useful to you and your unit.
Know what you're looking for
Base your search on the goal you want to accomplish. Do you want to see events or generate a report? What kind of data do you need to look for?
Example: Are you looking for wireless access, auditing, database, etc.?
Understand your Data
Take the time to learn which indexes contain your data, the sources of your data, and the source types. Knowing this information about your data helps you narrow down your searches.
Example: Run "|tstats count where index* by index, source, sourcetype." This will show you the different indexes, sources, and sourcetypes you have access to in a table format.
Be Specific
Time is the best way to narrow down your search. By narrowing down the time, you retrieve the smallest number of events necessary and cut down on disk space. To further optimize your search, it's recommended to know the index, source, sourcetype, and host.
Example: Do you know roughly when an event occurred? Are you looking for the past 24 hours? Do you know the type of access points on campus? Do you know what computer or server they were logging into?
Filter Early
Specifying fields before the first pipe is an efficient way to filter out events. By including necessary or eliminating unnecessary fields, you will make searches more effective.
Example: Run ...| fieldsummary | search values ="**". Between "**", enter the values you're looking for.
This will show the available field names based on the values you specify. Are you looking for certain IP addresses? Do you want to see what users failed to login?