Splunk Enterprise Data Administration
Duration : 3 Days (24 Hours)
Splunk Enterprise Data Administration Course Overview:
This course is tailored for administrators tasked with ingesting data into Splunk Indexers. It offers essential knowledge about Splunk forwarders and techniques for bringing remote data into Splunk indexers. The curriculum encompasses the installation, configuration, management, monitoring, and troubleshooting of Splunk forwarders, as well as components related to the Splunk Deployment Server.
Intended Audience:
- Splunk System Administrators
- IT Professionals responsible for managing Splunk forwarders and data inputs
- Splunk Users and Analysts involved in data ingestion and management
- Anyone seeking to enhance their knowledge of Splunk’s data input and parsing capabilities
Learning Objectives of Splunk Enterprise Data Administration:
- Understanding source types
- Managing and deploying forwarders
- Configuring data inputs
- File monitors
- Network inputs (TCP/UDP)
- Scripted inputs
- HTTP inputs (via the HTTP Event Collector)
- Customizing the input phase parsing process
- Defining transformations to modify data before indexing
- Defining search time knowledge object configurations
Module 1 – Getting Data Into Splunk
- Overview of Splunk and the distributed model
- Data input types and metadata settings
- Configuration of initial input testing
- Testing indexes with input staging
Module 2 – Config Files and Apps
- Identification of Splunk configuration files and directories
- Understanding index-time and search-time precedence
- Validation and updating of configuration files
- Exploration of Splunk apps and app installation
Module 3 – Configuring Forwarders
- Configuration of Universal Forwarders
- Configuration of Heavy Forwarders
Module 4 – Customizing Forwarders
- Configuration of intermediate forwarders
- Identification of additional forwarder options
Module 5 – Managing Forwarders
- Description of Splunk Deployment Server (DS)
- Forwarder management using deployment apps
- Configuration of deployment clients and client groups
- Monitoring forwarder management activities
Module 6 – Monitor Inputs
- Creation of file and directory monitor inputs
- Use of optional settings for monitor inputs
- Deployment of remote monitor inputs
Module 7 – Network Inputs
- Creation of network (TCP and UDP) inputs
- Description of optional settings for network inputs
Module 8 – Scripted Inputs
- Creation of basic scripted inputs
Module 9 – Agentless Inputs
- Configuration of Splunk HTTP Event Collector (HEC) agentless input
- Description of Splunk App for Stream
Module 10 – Operating System Inputs
- Identification of Linux-specific inputs
- Identification of Windows-specific inputs
Module 11 – Fine-tuning Inputs
- Understanding default processing during the input phase
- Configuration of input phase options (source type fine-tuning, character set encoding)
Module 12 – Parsing Phase and Data Preview
- Understanding default processing during parsing
- Optimization and configuration of event line breaking
- Explanation of timestamp and time zone handling during parsing
- Use of Data Preview for event validation during parsing
Module 13 – Manipulating Input Data
- Exploration of Splunk transformation methods
- Creation of rulesets with Ingest Actions
- Data masking with Ingest Action rules and SEDCMD
- Override of sourcetype or host based on event values
Module 14 – Routing Input Data
- Data filtering and routing with Ingest Action rules and TRANSFORMS
Module 15 – Supporting Knowledge Objects
- Configuration of default and custom search time field extractions
- Pros and cons of indexed time field extractions
- Configuration of indexed field extractions
- Management of orphaned knowledge objects
Splunk Enterprise Data Administration Course Prerequisites:
- What is Splunk?
- Intro to Splunk
- Using Fields
- Introduction to Knowledge Objects
- Creating Knowledge Objects
- Creating Field Extractions
Additionally, the following courses are recommended:
- Fundamentals 1
- Fundamentals 2
It’s also beneficial for students to have an understanding of the following course:
- Splunk Enterprise System Administration (recommended)
Discover the perfect fit for your learning journey
Choose Learning Modality
Live Online
- Convenience
- Cost-effective
- Self-paced learning
- Scalability
Classroom
- Interaction and collaboration
- Networking opportunities
- Real-time feedback
- Personal attention
Onsite
- Familiar environment
- Confidentiality
- Team building
- Immediate application
Training Exclusives
This course comes with following benefits:
- Practice Labs.
- Get Trained by Certified Trainers.
- Access to the recordings of your class sessions for 90 days.
- Digital courseware
- Experience 24*7 learner support.
Got more questions? We’re all ears and ready to assist!