Course structure
Module 1 -Introduction to Data Administration
- Provide an overview of Splunk
- Describe the four phases of the distributed model
- Describe data input types and metadata settings
- Configure initial input testing with Splunk Web
- Testing Indexes with Input Staging
Module 2 – Getting Data In – Staging
- Identify Splunk configuration files and directories
- Describe index-time and search-time precedence
- Validate and update configuration files
Module 3 – Configuring Forwarders
- Identify the role of production indexers and forwarders
- Understand and configure Universal Forwarders
- Understand and configure Heavy Forwarders
- Understand and configure intermediate forwarders
- Identify additional forwarder options
Module 4 – Forwarder Management
- Describe Splunk Deployment Server (DS)
- Manage forwarders using deployment apps
- Configure deployment clients and client groups
- Monitor forwarder management activities
Module 5 – Monitor Inputs
- Create file and directory monitor inputs
- Use optional settings for monitor inputs
- Deploy a remote monitor input
Module 6 – Network and Scripted Inputs
- Create network (TCP and UDP) inputs
- Describe optional settings for network inputs
Module 7 – Agentless Inputs
- Create a basic scripted input
Module 8 – Fine Tuning Inputs
- Configure Splunk HTTP Event Collector (HEC) agentless input
- Describe Splunk App for Stream
Module 9 – Parsing Phase and Data
- Identify Linux-specific inputs
- Identify Windows-specific inputs
Module 10 – Manipulating Raw Data
- Understand the default processing that occurs during input phase
- Configure input phase options, such as source type fine-tuning and character set encoding
Module 11 – Supporting Knowledge Objects
- Understand the default processing that occurs during parsing
- Optimize and configure event line breaking
- Explain how timestamps and time zones are extracted or assigned to events
- Use Data Preview to validate event creation during parsing phase
Module 12 – Creating a Diag
- Explain how data transformations are defined and invoked
- Use transformations with props.conf and transforms.conf to:
- Mask or delete raw data as it is being indexed
- Override sourcetype or host based upon event values
- Route events to specific indexes based on event content
- Prevent unwanted events from being indexed
- Use SEDCMD to modify raw data
Module 13 – Supporting Knowledge Objects
- Define default and custom search time field extractions
- Identify the pros and cons of indexed time field extractions
- Configure indexed field extractions
- Describe default search time extractions
- Manage orphaned knowledge objects