1

Getting Started with the Splunk Enterprise Certified Admin Exam

Let’s get started with Splunk Enterprise. By the end of this chapter, you should understand what Splunk Enterprise is and its rich set of features and be able to list the Splunk components that work together to get business insights out of data. You will also learn about the installation of standalone Splunk Enterprise in a Windows environment, along with advanced Splunk Validated Architectures (SVAs) covering all the Splunk components. Throughout the book, you’ll often find us using the terms Splunk Enterprise and Splunk interchangeably. They both refer to the product itself. You will rarely find references to Splunk Inc., which refers to the company that developed and offers the Splunk Enterprise product.

This chapter covers the following topics to get you started:

• Introducing the certification exam
• The weightage of topics in the exam
• Introducing the exam’s test pattern
• What is Splunk Enterprise?
• Introducing Splunk 9.x Enterprise features
• Understanding Splunk components
• SVAs
• Splunk installation—standalone
• Self-assessment

Introducing the certification exam

The Splunk Enterprise Admin exam is the prerequisite to attain the Splunk Enterprise Certified Admin certification. The exam contains 56 questions that you need to answer in 57 minutes, and you will get an extra 3 minutes to review your answers, bringing the duration of the exam to a total of 60 minutes. Successful candidates will be issued a digital certificate along with Splunk digital badges. In order to be eligible to sit the Splunk Enterprise Admin certification exam, you should have already passed the Splunk Core Certified Power User exam and obtained that certification.

The exam tests your knowledge of Splunk Enterprise system administration and Splunk data administration concepts. Splunk Education and/or Splunk Authorized Learning Partners (ALPs) offer administration courses through instructor-led training along with material, labs, and sample questions. Splunk recommends going through these training sessions. They are paid courses. However, do note that taking part in this training is optional for the admin exam. This book covers both system and data administration concepts along with self-assessment questions on each topic, for you to get ready for the exam.

A Splunk Enterprise system administrator is someone who looks after the Splunk Enterprise platform on a day-to-day basis. This exam tests your knowledge of user management, installation, the configuration of Splunk Enterprise, forwarder management, license management, search head (SH) management, index creation, indexer management, and monitoring the whole Splunk platform using the Monitoring Console (MC).

Splunk Enterprise data administrator responsibilities include getting the data into Splunk from various sources, such as data inputs leveraging the universal forwarder (UF), network inputs, scripted inputs, and Technology Add-ons (TAs). The data admin ensures the data is correctly broken down into individual events, applying timestamps and setting sourcetype and other metadata fields. In addition, they can create knowledge objects required to support other Splunk features for data insights and data retrieval using the Splunk Search Processing Language (SPL).

The following section explains the weightage of exam questions per topic that are asked.

The weightage of topics in the exam

A list of topics in scope and their weightage has been provided by Splunk in its test blueprint for the admin exam. The topics might be slightly updated by Splunk in the future. At the time of writing this book, these are current and valid for the Splunk Enterprise 9.x Certified Admin exam.

Refer to the latest blueprint prior to booking your exam and find out whether any new concepts have been included. You could try accessing this blueprint using this link: https://tinyurl.com/36x7apnr. Otherwise, if the web link changes, look for the blueprint PDF deep link in the Splunk Certification Exams Study Guide (https://www.splunk.com/pdfs/training/splunk-certification-exams-study-guide.pdf) on the Splunk Enterprise Certified Admin page.

Don’t be alarmed by the length of the topic list; the topics are covered in thorough detail in the rest of this book, to get you prepared with confidence.

Now that you have an idea of the topics and their weightage, let’s understand the exam’s test pattern.

Introducing the exam’s test pattern

The exam contains 56 questions to be answered in 57 minutes. Each question has at most five options. Some of the questions will have more than one answer, under the Select all that apply category. Others are either true or false or single-answer.

The following are sample questions of the different categories with answers.

True or false category

Q. Splunk Enterprise is only able to store and retrieve text-based data.

1. True
2. False

Here, the answer is option A.

Single-answer category

Q. A UF is sending data to index=linux_os, which does not exist on the indexer layer. What happens to the data in this scenario?

1. Since no such index has been configured, the data will be ignored by the indexer
2. The indexer throws an error message to the UF
3. A linux_os index is automatically created since it did not exist before
4. The data gets stored in the lostandfound index

Here, the answer is option A.

Multiple-choice category

Q. A Splunk admin user has, by default, which capabilities? (Select all that apply)

1. Admin can install the UF remotely
2. Admin can create another admin user
3. Admin can create a custom role for a group of non-admin users
4. Admin can restart a Splunk SH instance through the GUI

Here, the answers are options B, C, and D.

Let’s get started with learning about Splunk Enterprise in the following section.

What is Splunk Enterprise?

Splunk Enterprise is software that collects data from heterogeneous sources and provides interfaces to analyze machine data. Getting to know Splunk Enterprise helps you to choose the right feature for the needs or requirements that will come through while you are working on real-time projects. As an administrator, it is highly expected that you are well aware of these capabilities of Splunk. Key features of this product are explained as follows:

• Collecting text data: Splunk Enterprise can only collect and search text data. Non-textual data should not be stored in Splunk Enterprise.
• Schemaless: Splunk accepts structured, semi-structured, and unstructured data, and no strict checking of schema compliance is needed.
• Web, command-line interface (CLI), and REST application programming interface (API) interfaces: Three standard interfaces are offered by Splunk—web for searching, reporting, alerting, and configuration management; REST API to enable all the web functions through programmatic access; and Splunk CLI for executing system commands, configuring Splunk, and running searches. In general, Splunk Administrators use this interface.
• Searching, reporting, and alerting: To query Splunk Enterprise, it has introduced a proprietary SPL, which is used in every interface it offers to retrieve the data from it. Searching enables data retrieval, which could be ad hoc or scheduled to run at a particular time of the day. Reporting involves a reusable search query that is stored and can be scheduled or run on demand. Finally, alerting is a scheduled search and triggers a defined set of actions when a given condition is met—an alert action could involve tasks such as sending an email or executing a script.
• Anonymizing data: Data can contain sensitive information, such as Personally Identifiable Information (PII) and Payment Card Industry (PCI) data. For example, credit card numbers and user phone numbers are highly classified and restricted to only being visible or accessible...