I work in information security and I enjoy everything SIEM related so learning Splunk was a no-brainer for me. Splunk has so many applications that almost any environment can benefit from a Splunk deployment. Whether you are using it as a log management system or creating dashboards for data analytics, Splunk provides a nice framework to build your solution.
Recently I deployed Splunk on my home network. I wanted to know how to use it efficiently and get the most out of the product. I began looking into the training offered by Splunk. Splunk offers many learning paths:
- Courses for Users
- Courses for Splunk Administrators
- Courses for Splunk Cloud Customers
- Courses for Splunk Architects
- Courses for App Developers
- Courses for Enterprise Security Administrators
- Courses for Enterprise Security End-Users
- Courses for IT Service Intelligence Administrators
- Courses for IT Service Intelligence End-Users
- Courses for Phantom Customers
I discovered the Splunk Fundamentals 1 Training was free, so lets give it a shot.
The course topics for Splunk Fundamentals 1:
- Introduction to Splunk’s interface
- Basic searching
- Using fields in searches
- Search fundamentals
- Transforming commands
- Creating reports and dashboards
- Datasets
- The Common Information Model (CIM)
- Creating and using lookups
- Scheduled Reports
- Alerts
- Using Pivot
The training for fundamentals 1 does not provide a Splunk environment to use, but it does provide video lessons of how to configure your own instance. Splunk offers great documentation to stand up your own instance here. I used a CentOS 7 VM which is working great. Splunk training will then provide the machine data to upload to your instance for the labs.
I went through the videos, labs, and questions. Most of the topics were covering Splunk search syntax and how to be efficient with the search jobs. After competing all the training I seen that the certification from Pearson Vue was only $125.00. Lets give it a shot.
Exam Prep
I did not use any additional training outside of the Fundamentals 1 course, however I did move on to Fundamentals 2 while waiting to sit for the exam. Splunk Fundamentals 2 covers some of the same material, but was not necessary to pass. I also started sending all my home servers and network gear logs to Splunk to search real data. This allowed me to start seeing value in the training and helped solidify the material. Overall I studied about 15 hours in total.
Exam
The exam was 65 questions with 1 hour to complete. After the first few questions I was feeling good about the level of difficulty. Most of the questions were easy if you understand how Splunk searches work and understand the syntax. The exam did allow reviewing previous questions, so a few questions later in the exam helped with some earlier questions that I was not 100 percent sure of. The exam took 33 minutes to complete and the results were sent to the printer outside of the testing room. After leaving the room the results were handed to me: “Congratulations you are now Splunk certified” Woo!
Was it worth it?
Yes. The certification was affordable and has given me a great foundation for using Splunk at a user level. The Splunk Core Certified User Certification has allowed me to get a jump start on building dashboards and starting some data analytics on my home network. This certification is just the beginning of Splunk in my career. Look for Splunk posts in the future.
Until next time, stay safe in the Trenches of IT!