10 Feb 2025

Real Time

Splunk Admin + Development

3 Months (Fast Track)
● Splunk Administration: Learn to set up, manage, and optimize Splunk in a clustered
environment.
● Splunk Development: Build dashboards, extract fields, and create reports & alerts for data
analysis.

Prepared by
Soft Mania
Table of Contents

Splunk Admin 3

Requirement gathering 3

Capacity Planning - Basics 3

Architecture Planning - Basics 3

Setup a Splunk Clustered environment 3

Deploy Apps to Clustered environment 3

Onboard the data to Splunk Clustered environment 4

Splunk Development 6

Field Extraction from data 6

CIM Mapping 6

Dashboard development 6

Reports & Alerts creation 7

References 8

Contact 8
Splunk Admin
Requirement gathering
● Identify data sources, log formats, and ingestion methods.
● Define access controls, retention policies, and compliance needs.
● Gather performance, scaling, and monitoring requirements.

Capacity Planning - Basics

● Estimate data ingestion volume and indexing needs.
● Plan hardware resources (CPU, RAM, storage) based on workload.
● Consider license limits and future scalability.

Architecture Planning - Basics

● Design Splunk deployment (Standalone vs. Clustered).
● Plan search head, indexer, and forwarder distribution.
● Ensure high availability, load balancing, and fault tolerance.

Setup a Splunk Clustered environment

● How to create an AWS EC2 Linux instance & install Splunk
● Indexer Cluster - 3 Indexers, 1 Cluster Manager
● Search Head Cluster - 3 Search Heads, 1 Deployer
● 1 Monitoring Console, 1 License Manager
● 1 Intermediate Forwarder
● 1 UF - To collect Linux server logs
● 1 UF - To collect Windows server logs
● Troubleshoot Common cluster issues

Deploy Apps to Clustered environment

● How to Split the Apps/Add-ons to Deploy on Distributed environment?

 ● How to Deploy Apps to Search Head Cluster?
● How to Deploy Apps to Indexer Cluster?
● How to Deploy Apps to Forwarders using Deployment Server?
● How to create an Index in an Indexer Cluster?
● How to clean data from Splunk Index?
● How to delete an Index from Indexer Cluster?
● Troubleshoot Common App Deployment Issues

Onboard the data to Splunk Clustered environment

● How to Onboard data from Windows Active Directory

● How to Onboard data from Windows DNS
● How to Onboard data from Open VPN
● How to Onboard data from Syslog
● How to Onboard data from Intrusion Detection - OSSEC
● Different methods in Data Onboarding
○ File monitoring
○ Directory Monitoring
○ Scripted Input
○ Network events - TCP, UDP
○ HTTP Event Collector
○ Splunk DB Connect
● Different use-cases in Data Forwarding
○ Routing and Filtering the data
○ Masking the data
● Parsing - Data Quality check
○ Line breaking
○ Timestamp Extraction
■ Custom Time Format
■ Time-zone configuration, etc
 ○ Host name extraction
○ Sourcetype override
○ Index override
○ Index Time Field Extraction
● How Splunk Stores the data?
○ Index
■ Retention Policy
■ Buckets concept
○ Replication Factor & Search Factor
○ Searchable / Non-searchable bucket copies
● How do you estimate/find/calculate License usage?- Standalone
● What are all the types of Licenses available?

● The difference between a Universal Forwarder and a Heavy Forwarder

● How to select a Forwarder?
● Troubleshoot Common Data Onboarding / Parsing issues
Splunk Development
Field Extraction from data

● Regular Expression basics

● How to extract Field from Unstructured data?
● How to create calculated fields?
● How to add lookup information into the raw data?
● Why sourcetype matters in Splunk?
● Where to deploy the particular property of configuration files?
● How to create eventtypes & tags?
● Troubleshoot Common Field extraction issues

CIM Mapping

● What is Common Information Model (CIM)?

● How CIM is being used?
● How to use Data Model in Splunk?
● How to Write queries for common scenarios?
● Troubleshoot common CIM Mapping issues

Dashboard development

● How to create Different visualizations in Splunk?

● How to add Different Inputs to Splunk Dashboards?
● How to provide access for a specific dashboard to specific user?
● How do you create dependent dropdowns?
● How do you create a drill-down for panels?
● How do you handle tokens inside the dashboard?
● Troubleshoot Common Dashboard issues
Reports & Alerts creation

● How to create a Report?

○ Schedule a Report for a Particular Time
○ Schedule a Report That Sends a PDF to Multiple Email IDs Based on Data
○ Schedule a Report to Improve Dashboard Performance
○ Generate Scheduled Reports with Conditional Data Splitting
○ Export Scheduled Reports in Multiple Formats
○ Use Lookup Files in Scheduled Reports
● How to create an Alert?
○ Trigger an Alert When a Report Detects Anomalies
○ Throttle Alerts to Avoid Spam Notifications
○ Create Alerts Based on Dynamic Thresholds (Trend-Based Alerting)
○ Trigger Multi-Action Alerts (Email, Script Execution, Ticketing, etc.)
○ Trigger Alerts Based on Lookup Data
○ Trigger Alerts Using REST API/Webhooks
○ Use Per-Result vs. Aggregated Alerts
○ Suppress Alerts During Maintenance Windows
● Troubleshoot common Reporting & Alerting Issues

Happy Splunking…!!

For any help/support required on Splunk, please contact the Soft Mania Team using any
one of the methods mentioned at the end of this document.
References
https://docs.splunk.com/Documentation/Splunk

Contact
Email: [email protected]

Website: Soft Mania

WhatsApp: https://wa.me/918317349618

WhatsApp Community: https://chat.whatsapp.com/Ll5I8yPEHbACYQrQvb17e2

LinkedIn: https://www.linkedin.com/company/softmania-tech

Instagram: https://www.instagram.com/softmaniatech

YouTube: https://www.youtube.com/@SoftManiatech

Telegram: https://t.me/SoftManiaTech