Advanced Splunk Administration

This eight hour course follows the Administrating Splunk course. The focus in this class is the knowledge, best practices, and configuration details for Splunk administration in a medium to large deployment environment. In this class you will learn advanced input configuration options, Splunk's data processing flow, optimized indexing configurations, alternative authentication methods, security, and troubleshooting.

Course Topics

• Splunk hardware and topology options

• Advanced use and configuration of Splunk forwarders

• Splunk's Deployment Serve

• Advanced data input options

• Data inputs advanced configuration

• Advanced configuration of Splunk data stores

• Authentication

• How and what to secure in Splunk

• Where to get help

Class Format

Instructor-led lecture with labs. Delivered via virtual classroom or at your site.

Prerequisites

Using Splunk

Administrating Splunk

Course Objectives

Lesson 1 - Hardware and Topology

• Identify Splunk hardware recommendations

• Explore Splunk topology recommendations

• Describe distributed search and search head pooling

Lesson 2 - Forwarders

• Configure Splunk forwarders using outputs.conf

• Configure load balancing

• Secure and compress forwarder feeds and set cache size

• Enable indexer acknowledgement

• Leverage 3rd party systems

Lesson 3 - Deployment Server

• Understand Deployment Server terminology and topology

• Use server classes to send custom config files to all types of Splunk installs

• Configure deployment clients

• Create and distribute deployment bundles

Lesson 4 - Inputs

• Use wildcards

• Use whitelists and blacklists to limit monitor data inputs

• Configure scripted inputs

• Understand file system change monitoring

Lesson 5 - Modifying Data Inputs

• Describe how data moves from input to index

• Understand the default processing that occurs during indexing

• List the config files that govern data processing

• Override default data processing

• Discard unwanted events

• Mask sensitive data

• Extract fields

Lesson 6 - Config Precedence 

• Understand how config file precedence works

• Describe index time config file precedence

• Describe search time config file precedence 

Lesson 7 - Splunk's Data Store

• Identify index directory structure

• Describe buckets and how they move from hot to cold

• Configure aging and retention times

• Set up volumes on hard disk

• Describe back up strategies 

• Clean an index or selectively delete data

Lesson 8 - Authentication

• Review native Splunk authentication

• Use LDAP

• Use Active Directory

• Configure SSO

Lesson 9 - Security 

• Identify what you can secure in Splunk

• Understand SSL and Splunk

• Learn about user group and index security

• Identify and secure the audit log

• Understand archive data signing

Lesson 10 - Troubleshooting

• Set specific internal logging levels

• Identify and solve common issues

• Learn how to get community help with Splunk

• Understand how to contact Splunk Support