Splunk 9.x Enterprise Certified Admin Guide

Splunk 9.x Enterprise Certified Admin Guide

by Srikanth Yarlagadda
Released August 2023
Publisher(s): Packt Publishing
ISBN: 9781803230238

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Find all the information, exercises, and tools to ace the Splunk Enterprise Certified Admin exam in one place

Key Features

  • Explore various administration topics including installation, configuration, and user management
  • Gain a deep understanding of data inputs, parsing, and field extraction
  • Excel in the Splunk Enterprise Admin exam with the help of self-assessment questions and mock exams
  • Purchase of the print or Kindle book includes a free PDF eBook

Book Description

The IT sector's appetite for Splunk and skilled Splunk developers continues to surge, offering more opportunities for developers with each passing decade. If you want to enhance your career as a Splunk Enterprise administrator, then Splunk 9.x Enterprise Certified Admin Guide will not only aid you in excelling on your exam but also pave the way for a successful career.

You’ll begin with an overview of Splunk Enterprise, including installation, license management, user management, and forwarder management. Additionally, you’ll delve into indexes management, including the creation and management of indexes used to store data in Splunk. You’ll also uncover config files, which are used to configure various settings and components in Splunk.

As you advance, you’ll explore data administration, including data inputs, which are used to collect data from various sources, such as log files, network protocols (TCP/UDP), APIs, and agentless inputs (HEC).

You’ll also discover search-time and index-time field extraction, used to create reports and visualizations, and help make the data in Splunk more searchable and accessible. The self-assessment questions and answers at the end of each chapter will help you gauge your understanding.

By the end of this book, you’ll be well versed in all the topics required to pass the Splunk Enterprise Admin exam and use Splunk features effectively.

What you will learn

  • Explore Splunk Enterprise 9.x features and usage
  • Install, configure, and manage licenses and users for Splunk
  • Create and manage indexes for data storage
  • Explore Splunk configuration files, their precedence, and troubleshooting
  • Manage forwarders and source data into Splunk from various resources
  • Parse and transform data to make it easy to use
  • Extract fields from data at search and index time for data analysis
  • Engage with mock exam questions to simulate the Splunk admin exam

Who this book is for

This book is for data professionals looking to gain certified Splunk administrator credentials. It will also help data analysts, Splunk users, IT experts, security analysts, and system administrators seeking to explore the Splunk admin realm, understand its functionalities, and become proficient in effectively administering Splunk Enterprise. This guide serves as both a valuable resource for learning and a practical manual for administering Splunk Enterprise, encompassing features beyond the scope of certification preparation.

Table of contents

  1. Splunk 9.x Enterprise Certified Admin Guide
  2. Contributors
  3. About the author
  4. About the reviewer
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Conventions used
    6. Get in touch
    7. Share Your Thoughts
    8. Download a free PDF copy of this book
  6. Part 1: Splunk System Administration
  7. Chapter 1: Getting Started with the Splunk Enterprise Certified Admin Exam
    1. Introducing the certification exam
    2. The weightage of topics in the exam
    3. Introducing the exam’s test pattern
      1. True or false category
      2. Single-answer category
      3. Multiple-choice category
    4. What is Splunk Enterprise?
    5. Introducing Splunk Enterprise 9.x features
    6. Understanding Splunk components
      1. Processing components
      2. Management components
    7. Splunk Validated Architectures (SVAs)
      1. Single-server deployment
      2. Distributed non-clustered deployment
      3. Distributed cluster deployment and SHC – single-site
      4. Distributed clustered deployment and SHC – multi-site
    8. Splunk installation – standalone
      1. Installation system requirements
      2. Installation steps
    9. Summary
    10. Self-assessment
      1. Reviewing answers
  8. Chapter 2: Splunk License Management
    1. Introducing license types
      1. The Splunk Enterprise Trial license
      2. The Splunk Free license
      3. The Forwarder license
      4. The Splunk Enterprise license
      5. The Splunk Enterprise infrastructure license
      6. Splunk Developer license
    2. Understanding license warnings and violations
    3. How licensing works
    4. Installing, managing, and monitoring licenses
      1. Adding a license
      2. License groups, stacks, and pools
      3. License manager and license peers
      4. License usage and alerting
    5. Summary
    6. Self-assessment
      1. Reviewing answers
  9. Chapter 3: Users, Roles, and Authentication in Splunk
    1. Users
      1. Creating a new user
    2. Roles
      1. Creating a new role
    3. Authentication methods
      1. Native Splunk
      2. LDAP
      3. SAML
      4. MFA
      5. Scripted authentication
    4. Summary
    5. Self-assessment
      1. Reviewing answers
  10. Chapter 4: Splunk Forwarder Management
    1. Introducing the universal forwarder
    2. Configuring the Deployment Server
      1. Configuring serverclass
    3. Installing the universal forwarder
      1. Installation in Windows OS
      2. Installation in Linux OS
    4. Configuring forwarding
    5. Configuring deploymentclient
    6. Forwarder monitoring
    7. Summary
    8. Self-assessment
      1. Reviewing answers
  11. Chapter 5: Splunk Index Management
    1. Understanding Splunk indexes
    2. Understanding buckets
    3. Creating Splunk indexes
      1. Splunk Web
      2. CLI
      3. indexes.conf explained
    4. Backing up indexes
    5. Monitoring Splunk indexes
    6. Summary
    7. Self-assessment
      1. Reviewing answers
  12. Chapter 6: Splunk Configuration Files
    1. Understanding conf files
      1. File format and access
      2. Structure and syntax
      3. Config layering and inheritance
      4. Default stanzas and global settings
      5. Merging multiple conf files
    2. Understanding conf file precedence
      1. Search-time precedence
      2. Index-time precedence
    3. Troubleshooting conf files using the btool command
    4. Summary
    5. Self-assessment
      1. Reviewing answers
  13. Chapter 7: Exploring Distributed Search
    1. Understanding distributed search
    2. Search head and indexer clustering overview
      1. Search head clustering
      2. Indexer clustering
    3. Configuring distributed search
      1. The Splunk CLI
      2. Splunk Web
    4. Understanding knowledge bundles
      1. Knowledge bundle replication
    5. Summary
    6. Self-assessment
      1. Reviewing answers
  14. Part 2:Splunk Data Administration
  15. Chapter 8: Getting Data In
    1. Understanding Splunk data inputs
    2. Understanding metadata fields
      1. Source types
    3. Data indexing phases
      1. Input
      2. Parsing
      3. Indexing
    4. Splunk Web – Add Data feature
    5. Summary
    6. Self-assessment
      1. Reviewing answers
  16. Chapter 9: Configuring Splunk Data Inputs
    1. File and directory monitoring
    2. Handling network data input
      1. TCP and UDP input
    3. Discussing scripted inputs
    4. Understanding HEC input
      1. Configuring HEC
      2. Sending data to HEC
    5. Exploring Windows inputs
    6. Summary
    7. Self-assessment
      1. Reviewing answers
  17. Chapter 10: Data Parsing and Transformation
    1. Parsing phase settings
      1. props.conf settings
      2. Transformation settings – transforms.conf
      3. Data anonymization
      4. Overriding source types
      5. Index re-routing
      6. Dropping unwanted events
    2. Splunk Web data preview
      1. Creating the source type definition
      2. Data masking
    3. Summary
    4. Self-assessment
      1. Reviewing answers
  18. Chapter 11: Field Extractions and Lookups
    1. Understanding fields and lookups
      1. Fields
      2. Lookups
    2. Creating search-time field extractions
      1. Delimited data extractions
      2. Unstructured data extractions
    3. Creating index-time field extractions
      1. Structured data extractions
      2. Unstructured data extractions
    4. Creating lookups
      1. CSV lookups
      2. KV Store lookups
    5. Summary
    6. Self-assessment
      1. Reviewing answers
  19. Chapter 12: Self-Assessment Mock Exam
    1. Mock exam questions
      1. Reviewing answers
  20. Index
    1. Why subscribe?
  21. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share Your Thoughts
    3. Download a free PDF copy of this book

Product information

  • Title: Splunk 9.x Enterprise Certified Admin Guide
  • Author(s): Srikanth Yarlagadda
  • Release date: August 2023
  • Publisher(s): Packt Publishing
  • ISBN: 9781803230238