Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Splunk 9.x Enterprise Certified Admin Guide
  • Table Of Contents Toc
  • Feedback & Rating feedback
Splunk 9.x Enterprise Certified Admin Guide

Splunk 9.x Enterprise Certified Admin Guide

By : Srikanth Yarlagadda
4.6 (8)
Buy this Book
close
close
Splunk 9.x Enterprise Certified Admin Guide

Splunk 9.x Enterprise Certified Admin Guide

4.6 (8)
By: Srikanth Yarlagadda
Buy this Book

Overview of this book

The IT sector's appetite for Splunk and skilled Splunk developers continues to surge, offering more opportunities for developers with each passing decade. If you want to enhance your career as a Splunk Enterprise administrator, then Splunk 9.x Enterprise Certified Admin Guide will not only aid you in excelling on your exam but also pave the way for a successful career. You’ll begin with an overview of Splunk Enterprise, including installation, license management, user management, and forwarder management. Additionally, you’ll delve into indexes management, including the creation and management of indexes used to store data in Splunk. You’ll also uncover config files, which are used to configure various settings and components in Splunk. As you advance, you’ll explore data administration, including data inputs, which are used to collect data from various sources, such as log files, network protocols (TCP/UDP), APIs, and agentless inputs (HEC). You’ll also discover search-time and index-time field extraction, used to create reports and visualizations, and help make the data in Splunk more searchable and accessible. The self-assessment questions and answers at the end of each chapter will help you gauge your understanding. By the end of this book, you’ll be well versed in all the topics required to pass the Splunk Enterprise Admin exam and use Splunk features effectively.
Table of Contents (17 chapters)
close
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1: Splunk System Administration
Part 1: Splunk System Administration
Free Chapter
2
Chapter 1: Getting Started with the Splunk Enterprise Certified Admin Exam
chevron up
Chapter 1: Getting Started with the Splunk Enterprise Certified Admin Exam
Introducing the certification exam
The weightage of topics in the exam
Introducing the exam’s test pattern
What is Splunk Enterprise?
Introducing Splunk Enterprise 9.x features
Understanding Splunk components
Splunk Validated Architectures (SVAs)
Splunk installation – standalone
Summary
Self-assessment
3
Chapter 2: Splunk License Management
Chapter 2: Splunk License Management
Introducing license types
Understanding license warnings and violations
How licensing works
Installing, managing, and monitoring licenses
Summary
Self-assessment
4
Chapter 3: Users, Roles, and Authentication in Splunk
Chapter 3: Users, Roles, and Authentication in Splunk
Users
Roles
Authentication methods
Summary
Self-assessment
5
Chapter 4: Splunk Forwarder Management
Chapter 4: Splunk Forwarder Management
Introducing the universal forwarder
Configuring the Deployment Server
Installing the universal forwarder
Configuring forwarding
Configuring deploymentclient
Forwarder monitoring
Summary
Self-assessment
6
Chapter 5: Splunk Index Management
Chapter 5: Splunk Index Management
Understanding Splunk indexes
Understanding buckets
Creating Splunk indexes
Backing up indexes
Monitoring Splunk indexes
Summary
Self-assessment
7
Chapter 6: Splunk Configuration Files
Chapter 6: Splunk Configuration Files
Understanding conf files
Understanding conf file precedence
Troubleshooting conf files using the btool command
Summary
Self-assessment
8
Chapter 7: Exploring Distributed Search
Chapter 7: Exploring Distributed Search
Understanding distributed search
Search head and indexer clustering overview
Configuring distributed search
Understanding knowledge bundles
Summary
Self-assessment
9
Part 2:Splunk Data Administration
Part 2:Splunk Data Administration
10
Chapter 8: Getting Data In
Chapter 8: Getting Data In
Understanding Splunk data inputs
Understanding metadata fields
Data indexing phases
Splunk Web – Add Data feature
Summary
Self-assessment
11
Chapter 9: Configuring Splunk Data Inputs
Chapter 9: Configuring Splunk Data Inputs
File and directory monitoring
Handling network data input
Discussing scripted inputs
Understanding HEC input
Exploring Windows inputs
Summary
Self-assessment
12
Chapter 10: Data Parsing and Transformation
Chapter 10: Data Parsing and Transformation
Parsing phase settings
Splunk Web data preview
Summary
Self-assessment
13
Chapter 11: Field Extractions and Lookups
Chapter 11: Field Extractions and Lookups
Understanding fields and lookups
Creating search-time field extractions
Creating index-time field extractions
Creating lookups
Summary
Self-assessment
14
Chapter 12: Self-Assessment Mock Exam
Chapter 12: Self-Assessment Mock Exam
Mock exam questions
15
Index
Index
Why subscribe?
16
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

Splunk installation – standalone

As discussed in the preceding section, a single-server deployment consists of a single Splunk instance combining both SH and indexer functionality. The installation actually isn’t part of the admin exam blueprint; however, it is very helpful to get your hands dirty by experiencing Splunk yourself through the Splunk Web, configuration file (.conf), and CLI options that we are going to discuss in upcoming chapters. This section provides instructions for installing Splunk Enterprise 9.0.3 on the Windows operating system. Let's get into it.

Installation system requirements

Let’s look at the system requirements of the computing environment. Splunk Enterprise supports multiple operating system environments. A full list of the supported options is available here: https://tinyurl.com/2tuudjwr. Splunk has the following hardware requirements:

  • A 64-bit Linux or Windows distribution
  • 12 physical CPU cores or 24 vCPU @ 2 GHz or more clock speed per core
  • 12 GB random-access memory (RAM)
  • An x86 64-bit chip architecture
  • 1 GB Ethernet network interface card (NIC)
  • Free disk space of at least 3 GB for installation and more as per indexing needs

My system specifications for where Splunk version 9.0.3 is going to be installed are as follows:

  • 64-bit Windows 11 Pro operating system
  • 6 physical CPU cores (or 12 vCPUs) @ 2.1 GHz clock speed and 16 GB RAM
  • An x86 64-bit AMD chip
  • Plenty of disk space

You might have noticed the physical CPU cores in my PC are fewer than recommended, which is absolutely fine as we are not going to run production workloads on the Splunk instance. Let’s get into the installation steps, as follows.

Installation steps

As a prerequisite, you need a high-speed internet connection to download the Splunk Enterprise free software package from here: https://www.splunk.com/en_us/download.html. If you do not have a Splunk account, then sign up and log in to continue. Choose the installation package by operating system and download the latest version, which is 9.0.3 at the time of writing.

Let’s begin the installation:

  1. Download the .msi file that appears as splunk-9.0.3-dd0128b1f8cd-x64-release.msi. Double-click on it to start the installation. You will be prompted to accept the license with the default installation options. Refer to Figure 1.8 and click the Next button:
Figure 1.8: Installation – license agreement

Figure 1.8: Installation – license agreement

  1. You will be prompted to enter administrator account credentials. Enter the details. Make sure you remember them as you will need them to log in to the Splunk instance for the first time. Click the Next button (refer to Figure 1.9):
Figure 1.9: Installation – creating administrator account credentials

Figure 1.9: Installation – creating administrator account credentials

  1. On the next screen, just click the Install button (refer to Figure 1.10):
Figure 1.10: Installation – click Install to begin

Figure 1.10: Installation – click Install to begin

  1. The setup wizard takes a few minutes to install Splunk Enterprise. If all goes well, a final “successfully installed” screen appears, as shown in Figure 1.11. Clicking on the Finish button will launch the browser window:
Figure 1.11: Installation successful

Figure 1.11: Installation successful

  1. You should observe the first-time login browser window URL: https://127.0.0.1:8000. Here, 8000 is the default Splunk Web port and 127.0.0.1 is the loopback address. Enter the admin credentials created in step 2; then you will be taken to the Splunk Enterprise home page at http://127.0.0.1:8000/en-GB/app/launcher/home:
Figure 1.12: Splunk Enterprise – first-time sign-in page

Figure 1.12: Splunk Enterprise – first-time sign-in page

The installation is successfully completed. Now, let’s summarize what we learned in this chapter in the next section.

End of Section 9
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY