Splunk Skills

The table below is taken from the Splunk Conf 2014 website and gives a nice overview over different areas of Splunk, with which to gauge your skills.

To make it a bit more useful I’m planning to add links for each item, to the official documentation, articles/blog posts I’ve found or blog posts that I’ve written myself. There are also some quick tips after the table.

At the moment it is far from exhaustive…but over time I hope that this becomes a valuable learning reference.

If you think that there is something missing then leave me a comment and I’ll update the table.

AREA OF EXPERTISE	BEGINNING	INTERMEDIATE	ADVANCED
Development	Building stuff in Splunk Web: Creating Simple XML dashboards and forms Creating a native Splunk app from the built-in templates	Editing simple XML and using simple XML extensions: Dynamic drilldowns Tokens Pan & zoom Post-process searches Using external libraries Using custom CSS Technology Addons (TAs)	Working with SplunkJS, Django bindings, SDKs: Creating a Splunk Web app using SplunkJS/Django bindings Using SplunkJS in your own web apps Tokens and data binding Search managers Page templates Event handlers Splunk diagnostic tools Creating a “standalone” app Using the SDKs Modular inputs
Search	Keyword searches (basic Google knowledge) Time ranges, booleans, key, value pair searching Concepts of source, source type, and host and other fields Tags, saving reports, creating alerts Basic reporting, top, timechart, simple stats commands and eval. Event types, workflow actions, basic form search, basic report acceleration.	Data normalization (CIM) Building a series of interconnected dashboards/an entire app More complex use cases with stats, eventstats, streamstats, accum, totals (comparison) Transactions, and other complex search patterns/results. Report acceleration, summary indexing, tstats. Getting Splunk reports/data outside of Splunk and into other tools. Data input filtering with regex/configs External lookups	Complex statistical questions–measure, report, and alert based on standard deviations, etc. Work closely with Splunk Admins on data acquisition. Non-traditional API-based searching Data models and pivot reports
Deployment	All-in-one Splunk with just forwarders Use of deployment server to deploy to UF/HWFs only Single serverclass.conf file	Distributed, but no clustering or search head pooling Use of deployment server to maintain apps on SH/indexers (outside of clustering), surgical DS reloading Load balancing forwarders	Search head pooling Clustering Multi-site clusters Use of deployment server to store configs for apps in git or other source-control system Multiple DSs behind load balancers Self-updating deploymentclient.confs SSL keys et al

AREA OF EXPERTISE

BEGINNING

INTERMEDIATE

ADVANCED

Development

Building stuff in Splunk Web:

Creating Simple XML dashboards and forms
Creating a native Splunk app from the built-in templates

Editing simple XML and using simple XML extensions:

Dynamic drilldowns
Tokens
Pan & zoom
Post-process searches
Using external libraries
Using custom CSS
Technology Addons (TAs)

Working with SplunkJS, Django bindings, SDKs:

Creating a Splunk Web app using SplunkJS/Django bindings
Using SplunkJS in your own web apps
Tokens and data binding
Search managers
Page templates
Event handlers
Splunk diagnostic tools
Creating a “standalone” app
Using the SDKs
Modular inputs

Search

Keyword searches (basic Google knowledge)
Time ranges, booleans, key, value pair searching
Concepts of source, source type, and host and other fields
Tags, saving reports, creating alerts
Basic reporting, top, timechart, simple stats commands and eval.
Event types, workflow actions, basic form search, basic report acceleration.

Data normalization (CIM)
Building a series of interconnected dashboards/an entire app
More complex use cases with stats, eventstats, streamstats, accum, totals (comparison)
Transactions, and other complex search patterns/results.
Report acceleration, summary indexing, tstats.
Getting Splunk reports/data outside of Splunk and into other tools.
Data input filtering with regex/configs
External lookups

Complex statistical questions–measure, report, and alert based on standard deviations, etc.
Work closely with Splunk Admins on data acquisition.
Non-traditional API-based searching
Data models and pivot reports

Deployment

All-in-one Splunk with just forwarders
Use of deployment server to deploy to UF/HWFs only
Single serverclass.conf file

Distributed, but no clustering or search head pooling
Use of deployment server to maintain apps on SH/indexers (outside of clustering), surgical DS reloading
Load balancing forwarders

Search head pooling
Clustering
Multi-site clusters
Use of deployment server to store configs for apps in git or other source-control system
Multiple DSs behind load balancers
Self-updating deploymentclient.confs
SSL keys et al

Development – Intermediate

Using Drilldown to set Tokens and crossfilter the dashboard – When using a drilldown with a timechart, you use $click.name2$ to access the value of the “group” the user has clicked on. With other charts, e.g. line charts use $row..

Splunk posts I’ve written

External Splunk content

Data model cheat sheet

Development – Intermediate

Splunk posts I’ve written

External Splunk content

Share this:

Like this:

Leave a Reply Cancel reply