Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search...

49
Copyright © 2016 Splunk Inc. Alex James Principal Product Manager, Splunk Search Optimization Karthik Sabhanatarajan Senior Software Engineer, Splunk &

Transcript of Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search...

Page 1: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Copyright©2016Splunk Inc.

AlexJamesPrincipalProductManager,Splunk

SearchOptimizationKarthikSabhanatarajanSeniorSoftwareEngineer,Splunk

&

Page 2: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Demo

Page 3: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

A B C D L EA B C D L EA B C D LA B C D LA B C D

A B C D L EA B C D L EA B C D LA B C D

Motivation:Taleoftwosearches

3

searchSourceType lookupL evalE searchA&L&E

Diskrawdata&index

searchSourceType&A lookupL searchL evalE searchE

• 10,000,000indexhits• 1,000,000eventscreated(i.e.extractions)• 1,000,000lookups• 1,000,000evals• 1,000,000filters• Produces100,000matchingevents

• 7,000,000fewerindexhits• 700,000 fewereventscreated• 700,000fewerlookups• 800,000fewerevals• Net500,000lessfilters• ProducesIDENTICAL100,000matchingevents

TOTALWORK

SAVINGS

Page 4: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

OptimizationPrinciplesDoaslittleworkaspossible– Retrieveonlytherequireddata– Moveaslittledataaspossible– Parallelizeasmuchworkaspossible– Setappropriatetimewindows

ImplicationsbasedonSplunkArchitecture– Filterasmuchaspossibleintheinitialsearch– Join/Lookuponlyonrequireddata– Evalontheminimumnumberofeventspossible– Delaycommandsthatbringdatatothesearchheadasmuchaspossible.

4

Page 5: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

NewinSplunk6.5

Page 6: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Howsearchworksin6.4.

6

searchsourcetype=access-*(status=401orstatus=403)|lookup usertogroupuserOUTPUTgroup|where src_category=“email_server”

search lookup

1)Spliton‘|’andcreateprocessorpipeline

2)Distributebetweenindexandsearchheads,passargumentsandexecute

search lookup whereIndexer1

search lookup whereIndexer2

combine

Searchhead

where

Page 7: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Howsearchworksin6.5.

7

searchsourcetype=access-*(status=401orstatus=403)|lookup usertogroupuserOUTPUTgroup|where src_category=“email_server”

search lookup

1)ParseintoAST

search lookupIndexer1

search lookupIndexer2combine

Searchhead

searchsourcetype=access-*(status=401orstatus=403)src_category=“email_server”|lookup usertogroupuserOUTPUTgroup

2)OptimizeAST

3)ConstructPipelinefromAST

JSONAST

OptimizedJSONAST

4)Distributebetweenindexandsearchheads,passargumentsandexecute

Page 8: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Demo

Page 9: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Whatoptimizationsaredone?

9

Pushingpredicatestotheleft(ordown)– For*any*streamingcommandsthatdon’tmodifyafield:

– |rangemap field=scoreF=0-64D=65-69C=70-79B=80-89A=90-100|wherehost=mail30– |wherehost=mail30|rangemap field=scoreF=0-64D=65-69C=70-79B=80-89A=90-100

– SpecialHandlingforsomecommands:ê Rename– |renamesrc asip |whereip=“192.1.2.13”– |wheresrc=“192.1.2.13”|renamesrc asip

ê Eval– |evalsrc=if(isnull(src)ORsrc=“”,“unknown”,src |wheresrc =“192.1.2.13”– |wheresrc =“192.1.2.13”|evalsrc=if(isnull(src)ORsrc=“”,“unknown”,src

ê Byclausefilters– |statscountbyclientip|searchclientip=“192.0.0.0/8”– |searchclientip=“192.0.0.0/8”|statscountbyclientip

Search/Wheremerging– searchERROR|search404|wheresourcetype=“windows”– searchERROR404sourcetype=“windows”

Page 10: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Whatoptimizationsarecominglater?

10

PredicateSplittingPredicateNormalizationCollapsingconsecutivecommandsConvertingEvalFunctionsintoSearchfiltersifpossibleProjectionEliminationRe-usingprevioussearchresults

Page 11: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Whatdoesthismeanforyou?

11

FasterSearchesUpgradeto6.5Scanfor‘inefficientsearches’– Especiallyinscheduledworkloads...

UsetheJobInspectortoseeoptimizationinactionOptimizefurthermanuallyifneeded

Page 12: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Q&A

12

Page 13: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT
Page 14: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Disclaimer

14

Duringthecourseofthispresentation,wemaymakeforwardlookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectationsandestimatesbasedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthose

containedinourforward-lookingstatements,pleasereviewourfilingswiththeSEC.Theforward-lookingstatementsmadeinthethispresentationarebeingmadeasofthetimeanddateofitslivepresentation.Ifreviewedafteritslivepresentation,thispresentationmaynotcontaincurrentoraccurateinformation.Wedonotassumeanyobligationtoupdateanyforwardlookingstatementswemaymake.Inaddition,anyinformationaboutourroadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice.Itisforinformationalpurposesonlyandshallnot,beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesor

functionalitydescribedortoincludeanysuchfeatureorfunctionalityinafuturerelease.

Page 15: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

MigratingSlidesforMac1. Forbestresults,simplypasteyourslidesintothis

template.

2. ApplyslidelayoutsusingtheLayout buttonundertheFormattab.

3. IfLayoutstilldoesnotreflectthedesiredMasterLayout,chooseResetLayouttoDefaultsettings.

4. Deleteunwantedtemplateslides(anyslidesafterLastSlide).

5. ChooseSaveAstosavethefilewithoutoverwritingthetemplate.

15

Page 16: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

MigratingSlidesforPC1. Forbestresults,simplypasteyourslidesintothistemplate.

– Pastingafterabulletslideisrecommended

2. Reviewallslidesandmakeformattingadjustmentsasneeded– OntheHome ribbon,clickLayout andselectthecorrectslidelayout– ClickReset toresetallslideelementstothedefaultsizeandposition– Checkforhiddentext,suchaswhitetextonawhitebackground

3. Deleteunnecessarytemplateslides4. SaveAstosavethefilewithoutoverwritingthetemplate

16

Page 17: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

SlideMasters• Whenimportingslidesfromanotherpresentation,the

SlideMastersassociatedwiththoseslidesmayalsoimporttothistemplate.Thisisa‘feature’ofPPTandcannotbeturnedoff.

• TodeleteunwantedSlideMasters:– makesureallslidesinthepresentationhavethenew

templateSlideMasterLayoutsassigned(first16SlideMastersshownunderLayout)

– GotoView/MastertodeleteanyunwantedSlideMasters

• ThelastSlideMasterinthistemplateiscalledLastSlide.AnySlideMastersafterthisslidewerelikelyimportedfromanotherpresentationandcanbedeleted(ifnolongerusedbyanyslides.)

17

Page 18: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

ImportantTips• Thistemplateusesareducedslidesize.Youmayhavetomanuallydecreasethesizeofsomeitemssuchasstrokes andfonts.

• Iffontsappearbiggerthandesired,remembertoassignaLayout toyourslideandResettoDefaultSettings.

• Ifpagenumbersdonotappearorarethewrongformatting,remembertoassignaLayout toyourslideandResettoDefaultSettings.

• Thecolorsinyourgraphicswillautomaticallybeshiftedtothenewpalette.Pleaseadjustasneeded.

18

Page 19: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Agenda

AgendaItemAgendaItemAgendaItem

19

Page 20: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

2012GoalsandObjectivesExample

GoalItemGoalItemGoalItem

20

Page 21: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

SampleTitle,66pt.Calibri

21

Page 22: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

SampleTitle,66pt.Calibri

22

Subhead

Page 23: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

TitleOnlySlide,60pt.Calibri

23

Page 24: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

TitleOnlySlide,54pt.Calibri

24

Page 25: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Samplewithscreenshot

25

Screenshothere

Page 26: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

SampleTwo-columnFormatSubhead

26

Sampletwo-columnformat

• Sampletwo-columnformat,sentence– Secondbullet

Sampletwo-columnformat

Page 27: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

SplunkObjectStyleandColor

27

Hardware ProductBusiness/Corporate

HighlightOnlyGenericVirtualization

Generic

Thesearesuggestedusesforcolorsonly.

Page 28: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

AssignDefaultObjectStyle

28

Page 29: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

ApplyingSplunkObjectStyle

29

ToapplytheSplunk objectstyletoanyshape:1. Selecttheshapewiththedesiredstyle2. ClickonFormatPainter(paintbrush)toolintoolbar3. Applystyletoanynewshape

Page 30: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Logos

30

CorporateLogo ProductLogo

Page 31: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Logos

31

Page 32: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Logos

32

Page 33: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Splunk Icons

33

search barchart lock cloud opencloud checkmark envelope

storage- 3storageiPhoneiPadandroid

server indexer forwarder searchhead desktop laptop

datacenter

Splunk server

firewall

Page 34: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Splunk IconsCont’d

34

application virtualmachine virtualserver network wwworglobal tools

logfile RFID router loadbalancer script shoppingcart

user users gears/settings gear messaging tag/ticket

document

alert

gps tower

Page 35: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Splunk Icons

35

Checkmark InfoAlert StopiPhoneiPadAndroid

Twitter Facebook LinkedIn RSS YouTube ShoppingcartGPSTower

Healthcare Hospital Officebuilding VoIPPhone Support POSCardReader RFID

Page 36: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Splunk Icons

36

Page 37: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

SecurityIcons

37

FirewallAttacker,Generic

Attacker,Insider

Attacker,Nation/State

Botnet Key

Malware MalwareDocument

MalwarePackaged

SecurityBadge

SecurityServer

Shield VirusFootsteps

Page 38: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

TheInternetofThingsIcons

38

POSCardReader

RFIDElectricCar

EMVReaderInternetofThings Meter Factory

SignatureCapture

Page 39: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

Arrows

39

Page 40: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

TableExample

40

ColumnTitle ColumnTitle ColumnTitle ColumnTitle

Text Text Text Text

Text Text Text Text

Text Text Text Text

Text Text Text Text

Text Text Text Text

Page 41: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

TableExample

41

ColumnTitle ColumnTitle ColumnTitle ColumnTitle

Text Text Text Text

Text Text Text Text

Text Text Text Text

Text Text Text Text

Text Text Text Text

Page 42: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

SampleCustomerSuccess

42

Customerlogohere

CustomernameCustomercompany

“SplunkmakesitcheaperandeasierforHughestoanalyzenetworktrafficforenterprisecustomersaswellasmanagebandwidthforconsumerandsmallbusinesscustomers.”

BulletplaceholderBulletplaceholderBulletplaceholder

Screenshotorgraphichere

Page 43: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

TimelineChart

43

Q1 Q2 Q3 Q4

Milestone Event

Page 44: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

ChartExample

44

PlannedActual

Number

Number

Number

Number

Number

FY09 FY10FY08PreviousYear

N%growthoverFYxx

Page 45: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

QuoteBox

45

“Apessimistseesthedifficultyineveryopportunity;anoptimistseestheopportunityineverydifficulty.”

-WinstonChurchill

Page 46: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

QuoteBox

46

Page 47: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

QuoteBox

47

Page 48: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

WhatNow?

48

Relatedbreakoutsessionsandactivities…

Page 49: Principal Product Manager, Splunk Senior Software Engineer ... · How search works in 6.5. 7 search sourcetype=access-* (status=401 or status=403) | lookupusertogroup user OUTPUT

THANKYOU


Basics of Credit Analysis Alexandru Cebotari. Sources and Types of Risks SourceType or Nature InternationalExchange Rate Changes Host Government Regulations.

Basics of Credit Analysis Alexandru Cebotari. Sources and Types of Risks SourceType or Nature InternationalExchange Rate Changes Host Government Regulations.

Bill Status Search by Bill - New York State Bar Association

Bill Status Search by Bill - New York State Bar Association

Lopol: Logical Policy Analysis in SELinuxselinuxsymposium.org/2006/slides/07-lopol.pdf · accurate information flow model. Specific Rules •SourceType –types that may yield vulnerabilities

Lopol: Logical Policy Analysis in SELinuxselinuxsymposium.org/2006/slides/07-lopol.pdf · accurate information flow model. Specific Rules •SourceType –types that may yield vulnerabilities

Search Forms Preview Forms - Intuit › content › dam › intuit › ...QuickBooks Accountant Mary Maciejewski's Return 1040 Tax Year 2018 Return Status: Select Status Mary Maciejewski's

Search Forms Preview Forms - Intuit › content › dam › intuit › ...QuickBooks Accountant Mary Maciejewski's Return 1040 Tax Year 2018 Return Status: Select Status Mary Maciejewski's

Status of Search for Compact Binary Coalescences During LIGO’s Fifth Science Run

Status of Search for Compact Binary Coalescences During LIGO’s Fifth Science Run

Search Team Status - infO(1) Cup

Search Team Status - infO(1) Cup

Search for Compliance - Arkansas PASSE Program · 2017-04-12 · Search for Compliance Methadone Training: Documentation Requirements for ... marital/legal status, appropriate consent

Search for Compliance - Arkansas PASSE Program · 2017-04-12 · Search for Compliance Methadone Training: Documentation Requirements for ... marital/legal status, appropriate consent

9.12.2004I.Kreslo / LHEP BERN1 Status of scanning in Bern HW status SW status pi/mu separation ( PSI 2004 ) vertex search (CERN 2004)

9.12.2004I.Kreslo / LHEP BERN1 Status of scanning in Bern HW status SW status pi/mu separation ( PSI 2004 ) vertex search (CERN 2004)

Search Team Status

Search Team Status

Status of ULE-HPGe Experiment for WIMP Search

Status of ULE-HPGe Experiment for WIMP Search

Glove box Status of the DEAP-3600 Dark Matter Search ...

Glove box Status of the DEAP-3600 Dark Matter Search ...

Status of the Hough CW search code - Plans for S2 -

Status of the Hough CW search code - Plans for S2 -

Higgs Search at LHC (and LHC/CMS status)

Higgs Search at LHC (and LHC/CMS status)

MCD: How To - Overview · 2020. 9. 3. · Overview. MCD Notice Board, Search by Document ID, How to use this site, MCD Update Status, Public Comments Tool; Advanced Search-OR-Search.

MCD: How To - Overview · 2020. 9. 3. · Overview. MCD Notice Board, Search by Document ID, How to use this site, MCD Update Status, Public Comments Tool; Advanced Search-OR-Search.

Person or Thing - In Search of the Legal Status of a Fetus

Person or Thing - In Search of the Legal Status of a Fetus

Russian Foreign Policy Continuity Revolution and the Search for Status Paul D Anieri

Russian Foreign Policy Continuity Revolution and the Search for Status Paul D Anieri

Indirect DM Search: Current Status and Report

Indirect DM Search: Current Status and Report

Search*OpCmizaon* - SplunkConf...Duplicate*Structured*Fields* • SomeCmes*both*indexed*extracCons*and*search*Cme*parsing*are* enabled*for*aCSV*or*JSON* sourcetype.*This*is*repeated*unnecessary*

Search*OpCmizaon* - SplunkConf...Duplicate*Structured*Fields* • SomeCmes*both*indexed*extracCons*and*search*Cme*parsing*are* enabled*for*aCSV*or*JSON* sourcetype.*This*is*repeated*unnecessary*

friendbook Search - SaferInternet4kids...Εκπαίδευση: 2ο Γυμνάσιο Αθήνας Τόπος κατοικίας: Αθήνα Relationship status: Ελεύθερη Email:

friendbook Search - SaferInternet4kids...Εκπαίδευση: 2ο Γυμνάσιο Αθήνας Τόπος κατοικίας: Αθήνα Relationship status: Ελεύθερη Email:

DOI Access User Training September, 2018 · 2020. 5. 13. · Search will find records in any status; hover cursor over green/red check/x-mark to see status Employment status value

DOI Access User Training September, 2018 · 2020. 5. 13. · Search will find records in any status; hover cursor over green/red check/x-mark to see status Employment status value