Scribd
Upload
18 views8 pages

Splunk Admin + Developer (Real Time) - Fast Track

This document outlines a 3-month fast track training program for Splunk Administration and Development, covering essential topics such as setting up a clustered environment, data onboarding, and creating dashboards and reports. It includes detailed sections on requirement gathering, capacity planning, architecture planning, and troubleshooting common issues. Contact information for support and references are also provided.

Uploaded by

bhavin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views8 pages

Splunk Admin + Developer (Real Time) - Fast Track

This document outlines a 3-month fast track training program for Splunk Administration and Development, covering essential topics such as setting up a clustered environment, data onboarding, and creating dashboards and reports. It includes detailed sections on requirement gathering, capacity planning, architecture planning, and troubleshooting common issues. Contact information for support and references are also provided.

Uploaded by

bhavin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

10 Feb 2025

Real Time

Splunk Admin + Development


3 Months (Fast Track)
● Splunk Administration: Learn to set up, manage, and optimize Splunk in a clustered
environment.
● Splunk Development: Build dashboards, extract fields, and create reports & alerts for data
analysis.

Prepared by
Soft Mania
Table of Contents

Splunk Admin 3

Requirement gathering 3

Capacity Planning - Basics 3

Architecture Planning - Basics 3

Setup a Splunk Clustered environment 3

Deploy Apps to Clustered environment 3

Onboard the data to Splunk Clustered environment 4

Splunk Development 6

Field Extraction from data 6

CIM Mapping 6

Dashboard development 6

Reports & Alerts creation 7

References 8

Contact 8
Splunk Admin
Requirement gathering
● Identify data sources, log formats, and ingestion methods.
● Define access controls, retention policies, and compliance needs.
● Gather performance, scaling, and monitoring requirements.

Capacity Planning - Basics


● Estimate data ingestion volume and indexing needs.
● Plan hardware resources (CPU, RAM, storage) based on workload.
● Consider license limits and future scalability.

Architecture Planning - Basics


● Design Splunk deployment (Standalone vs. Clustered).
● Plan search head, indexer, and forwarder distribution.
● Ensure high availability, load balancing, and fault tolerance.

Setup a Splunk Clustered environment


● How to create an AWS EC2 Linux instance & install Splunk
● Indexer Cluster - 3 Indexers, 1 Cluster Manager
● Search Head Cluster - 3 Search Heads, 1 Deployer
● 1 Monitoring Console, 1 License Manager
● 1 Intermediate Forwarder
● 1 UF - To collect Linux server logs
● 1 UF - To collect Windows server logs
● Troubleshoot Common cluster issues

Deploy Apps to Clustered environment

● How to Split the Apps/Add-ons to Deploy on Distributed environment?


● How to Deploy Apps to Search Head Cluster?
● How to Deploy Apps to Indexer Cluster?
● How to Deploy Apps to Forwarders using Deployment Server?
● How to create an Index in an Indexer Cluster?
● How to clean data from Splunk Index?
● How to delete an Index from Indexer Cluster?
● Troubleshoot Common App Deployment Issues

Onboard the data to Splunk Clustered environment

● How to Onboard data from Windows Active Directory


● How to Onboard data from Windows DNS
● How to Onboard data from Open VPN
● How to Onboard data from Syslog
● How to Onboard data from Intrusion Detection - OSSEC
● Different methods in Data Onboarding
○ File monitoring
○ Directory Monitoring
○ Scripted Input
○ Network events - TCP, UDP
○ HTTP Event Collector
○ Splunk DB Connect
● Different use-cases in Data Forwarding
○ Routing and Filtering the data
○ Masking the data
● Parsing - Data Quality check
○ Line breaking
○ Timestamp Extraction
■ Custom Time Format
■ Time-zone configuration, etc
○ Host name extraction
○ Sourcetype override
○ Index override
○ Index Time Field Extraction
● How Splunk Stores the data?
○ Index
■ Retention Policy
■ Buckets concept
○ Replication Factor & Search Factor
○ Searchable / Non-searchable bucket copies
● How do you estimate/find/calculate License usage?- Standalone
● What are all the types of Licenses available?

● The difference between a Universal Forwarder and a Heavy Forwarder


● How to select a Forwarder?
● Troubleshoot Common Data Onboarding / Parsing issues
Splunk Development
Field Extraction from data

● Regular Expression basics


● How to extract Field from Unstructured data?
● How to create calculated fields?
● How to add lookup information into the raw data?
● Why sourcetype matters in Splunk?
● Where to deploy the particular property of configuration files?
● How to create eventtypes & tags?
● Troubleshoot Common Field extraction issues

CIM Mapping

● What is Common Information Model (CIM)?


● How CIM is being used?
● How to use Data Model in Splunk?
● How to Write queries for common scenarios?
● Troubleshoot common CIM Mapping issues

Dashboard development

● How to create Different visualizations in Splunk?


● How to add Different Inputs to Splunk Dashboards?
● How to provide access for a specific dashboard to specific user?
● How do you create dependent dropdowns?
● How do you create a drill-down for panels?
● How do you handle tokens inside the dashboard?
● Troubleshoot Common Dashboard issues
Reports & Alerts creation

● How to create a Report?


○ Schedule a Report for a Particular Time
○ Schedule a Report That Sends a PDF to Multiple Email IDs Based on Data
○ Schedule a Report to Improve Dashboard Performance
○ Generate Scheduled Reports with Conditional Data Splitting
○ Export Scheduled Reports in Multiple Formats
○ Use Lookup Files in Scheduled Reports
● How to create an Alert?
○ Trigger an Alert When a Report Detects Anomalies
○ Throttle Alerts to Avoid Spam Notifications
○ Create Alerts Based on Dynamic Thresholds (Trend-Based Alerting)
○ Trigger Multi-Action Alerts (Email, Script Execution, Ticketing, etc.)
○ Trigger Alerts Based on Lookup Data
○ Trigger Alerts Using REST API/Webhooks
○ Use Per-Result vs. Aggregated Alerts
○ Suppress Alerts During Maintenance Windows
● Troubleshoot common Reporting & Alerting Issues

Happy Splunking…!!

For any help/support required on Splunk, please contact the Soft Mania Team using any
one of the methods mentioned at the end of this document.
References
https://docs.splunk.com/Documentation/Splunk

Contact
Email: [email protected]

Website: Soft Mania

WhatsApp: https://wa.me/918317349618

WhatsApp Community: https://chat.whatsapp.com/Ll5I8yPEHbACYQrQvb17e2

LinkedIn: https://www.linkedin.com/company/softmania-tech

Instagram: https://www.instagram.com/softmaniatech

YouTube: https://www.youtube.com/@SoftManiatech

Telegram: https://t.me/SoftManiaTech

You might also like