Book Image

Splunk 9.x Enterprise Certified Admin Guide

By : Srikanth Yarlagadda
Book Image

Splunk 9.x Enterprise Certified Admin Guide

By: Srikanth Yarlagadda

Overview of this book

The IT sector's appetite for Splunk and skilled Splunk developers continues to surge, offering more opportunities for developers with each passing decade. If you want to enhance your career as a Splunk Enterprise administrator, then Splunk 9.x Enterprise Certified Admin Guide will not only aid you in excelling on your exam but also pave the way for a successful career. You’ll begin with an overview of Splunk Enterprise, including installation, license management, user management, and forwarder management. Additionally, you’ll delve into indexes management, including the creation and management of indexes used to store data in Splunk. You’ll also uncover config files, which are used to configure various settings and components in Splunk. As you advance, you’ll explore data administration, including data inputs, which are used to collect data from various sources, such as log files, network protocols (TCP/UDP), APIs, and agentless inputs (HEC). You’ll also discover search-time and index-time field extraction, used to create reports and visualizations, and help make the data in Splunk more searchable and accessible. The self-assessment questions and answers at the end of each chapter will help you gauge your understanding. By the end of this book, you’ll be well versed in all the topics required to pass the Splunk Enterprise Admin exam and use Splunk features effectively.
Table of Contents (17 chapters)
Part 1: Splunk System Administration
Part 2:Splunk Data Administration
Chapter 12: Self-Assessment Mock Exam


This first chapter of Part 2 of the book aimed to get you started with Splunk data administration. We began with the introduction of data input types, including the file-based, network, agentless (HEC), and script-based options. There is also a special type of input that can be installed through TAs available from We also understood that these inputs are configured either by creating an inputs.conf file or through the Splunk CLI.

Afterward, we looked at the default metadata fields assigned by Splunk, along with their significance when searching data. The sourcetype field plays a crucial role in Splunk as it helps classify and categorize data by its source type. Splunk uses a pre-trained list of source types to automatically detect and assign the appropriate sourcetype if none is specified during the input phase. sourcetype definitions are configured in the props.conf file, where data administrators create custom ones based on the type of data they...