Module 1 - Getting Data Into Splunk
- Provide an overview of Splunk
- Describe the four phases of the distributed model
- Describe data input types and metadata settings
- Configure initial input testing with Splunk Web
- Testing indexes with Input Staging
Module 2 - Configuration Files
- Identify Splunk configuration files and directories
- Describe index-time and search-time precedence
- Validating and updating configuration files
Module 3 - Forwarder Configuration
- Understand the role of production Indexers and forwarders
- Understand and configure Universal Forwarders
- Understand and configure Heavy Forwarders
- Understand and configure intermediate forwarders
- Identify additional forwarder options
Module 4 - Forwarder Management
- Describe Splunk Deployment Server (DS)
- Manage forwarders using deployment apps
- Configure deployment clients and client groups
- Monitor forwarder management activities
Module 5 - Monitor Inputs
- Create file and directory monitor inputs
- Use optional settings for monitor inputs
- Deploy a remote monitor input
Module 6 - Network Inputs
- Create network (TCP and UDP) inputs
- Describe optional settings for network inputs
Module 7 - Scripted Inputs
- Create a basic scripted input
Module 8 - Agentless Inputs
- Understand and configure Splunk HTTP Event Collector (HeC) agentless input
- Understanding Splunk App for Stream
Module 9 - Operating System Inputs
- Understand Linux-specific inputs
- Understanding Windows-specific inputs
Module 10 - Fine-tuning Inputs
- Understand the default processing that occurs during input phase
- Configure input phase options, such as sourcetype fine-tuning and character set encoding
Module 11 - Parsing Phase and Data Preview
- Understand the default processing that occurs during parsing
- Optimize and configure event line breaking
- Explain how timestamps and time zones are extracted or assigned to events
- Use Data Preview to validate event creation during the parsing phase
Module 12 - Manipulating Raw Data
- Explain how data transformations are defined and invoked
- Use transformations with props. conf and transforms. conf to:
- Mask or delete raw data as it is being indexed
- Override source type or host based upon event values
- Route events to specific indexes based on event content
- Prevent unwanted events from being indexed
- Use SEDCMD to modify raw data
Module 13 - Supporting Knowledge Objects
- Define default and custom search time field extractions
- Define the pros and cons of index time field extractions
- Configure indexed field time extractions
- Describe default search time extractions
- Manage orphaned knowledge objects