Splunk Enterprise Data Administration

Course Duration

3 Days

Audience

Employees of federal, state and local governments; and businesses working with the government.

Prerequisites

Completion of Splunk Enterprise System Administration (SP-SESA) or equivalent experience. Working knowledge of Splunk installation, users, and roles.

Course Description

This 3-day course is designed for administrators responsible for getting data into Splunk indexers. Students learn to configure and manage Splunk forwarders, configure data inputs from a variety of sources, manage the data pipeline with props and transforms, manage indexes and data lifecycle, and ensure data quality and integrity in Splunk deployments.

Learning Objectives

• Configure Splunk forwarder inputs from files, directories, and network sources
• Use props.conf and transforms.conf to control data parsing and transformation
• Configure index-time field extraction and source type recognition
• Manage Splunk indexes including bucket management and data retention
• Configure data routing and filtering
• Monitor data ingestion and troubleshoot input issues
• Implement best practices for data onboarding

Course Outline

Get Data Into Splunk

• Splunk distributed model overview
• Data input types and metadata
• Configuring file and directory inputs
• Configuring network inputs

Configuring Forwarders

• Forwarder types and use cases
• Configuring universal and heavy forwarders
• Load balancing and forwarder management

Data Parsing and Transformation

• props.conf and transforms.conf
• Event line breaking and timestamp recognition
• Field extraction at index time
• Data routing and filtering

Index Management

• Index architecture and bucket types
• Creating and managing indexes
• Managing data retention and archiving
• Index performance tuning

Frequently Asked Questions