topic What resources are recommended if I've been made a Splunk administrator, but know very little about Splunk? in Knowledge Management

What resources are recommended if I've been made a Splunk administrator, but know very little about Splunk?

Raghav2384 — Fri, 05 Sep 2014 04:50:01 GMT

Hello Experts,

I know very little about splunk :(. Our only splunk expert decided to quit and i have been asked to take the responsibility starting with enterprise administration. Is referring to splunk admin manuals/documentation enough to start?
I mean is it 100% knowledge base or just to get you to speed?
Sorry if it sounds silly . I am running in 1000 directions right now

Any help is much appreciated.
Thanks,
Raghav

Re: What resources are recommended if I've been made a Splunk administrator, but know very little about Splunk?

ppablo — Fri, 05 Sep 2014 05:10:30 GMT

Hi @Raghav2384

How little is little exactly? If you haven't really used Splunk before, going straight into the admin manual might be a big jump. I'd suggest going through the Search Tutorial on the Splunk documentation page (http://docs.splunk.com/Documentation ) first which will help you get started with understanding Splunk and its many features, just to touch the surface.

Do you know what version of Splunk you are running?

Re: What resources are recommended if I've been made a Splunk administrator, but know very little about Splunk?

Raghav2384 — Fri, 05 Sep 2014 05:33:44 GMT

Hi ppablo, i have experience in building reports,dashboards, alerts, knowledge objects and installed splunk free and edited conf files on a tiny scale setup (used 4 laptops - 2 having forwarders etc) . i haven't done administration at all. Example: I know indexer and how it is a full splunk ent version but don't know how to disable features like 'use it only for indexing but not searching'. Basically, i am reading all different manuals without knowing the practical way of doing it. Any help would be great. My ADHD situation is making it worse :(.Thank you!

Re: What resources are recommended if I've been made a Splunk administrator, but know very little about Splunk?

MarioM — Fri, 05 Sep 2014 05:37:05 GMT

Additionally to ppablo_splunk comment my second step would be to check my splunk health status using different apps:

If you have a large distributed deployment i would have a dedicated search head only for those apps.

Re: What resources are recommended if I've been made a Splunk administrator, but know very little about Splunk?

piebob — Fri, 05 Sep 2014 06:02:29 GMT

it sounds like you need to get an understanding of what your current deployment looks like, and to review this manual, starting with this topic:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/LearnhowtoadministerSplunk

once you have reviewed this, you can move on to learning about the different roles/components of Splunk:
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Distributedoverview

at that point, you should be able to start asking specific questions (after first searching in the docs of course :)). this site (Answers) is much better suited to specific questions.

Re: What resources are recommended if I've been made a Splunk administrator, but know very little about Splunk?

ppablo — Fri, 05 Sep 2014 06:12:01 GMT

Hi @Raghav2384

In that case, I think going through the suggested documentation referenced by @piebob would be a good place to start since you're familiar with the basics. The apps suggested by @MarioM (and many other apps) will definitely be worth checking out once you have a better grasp on your role and knowledge as an admin. Good luck!

Re: What resources are recommended if I've been made a Splunk administrator, but know very little about Splunk?

Raghav2384 — Fri, 05 Sep 2014 14:31:39 GMT

Thank you!!!! Really appreciate your help.

Re: What resources are recommended if I've been made a Splunk administrator, but know very little about Splunk?

Raghav2384 — Fri, 05 Sep 2014 14:31:57 GMT

Thank you ppablo! Cheers!

Re: What resources are recommended if I've been made a Splunk administrator, but know very little about Splunk?

Raghav2384 — Fri, 05 Sep 2014 14:32:14 GMT

Thank you Mario!Cheers!

Re: What resources are recommended if I've been made a Splunk administrator, but know very little about Splunk?

grijhwani — Fri, 05 Sep 2014 21:02:15 GMT

You know more than I did when I became Splunk in-house "expert" (as I say to people I "went from zero to SME in the space of 5 days"). This is not to dismiss your concerns. Quite the contrary. I want to give you confidence that it is achievable very quickly. For the most part I would (as the others have said) learn the shape of your actual Splunk infrastructure. I had help, in that I was guided through a new set of installations by one of the previous admins, and I would say that a test installation (which you can afford to break and start from scratch), and a bit of tinkering will get you a long way.

Other than that I would suggest that you use the documentation (the online manual), the Wiki, and "Answers" as reference material, and for anything else you genuinely cannot find solutions for or which confuse you ask here. It's not as daunting as it may seem.

(Personally I don't recommend Splunk-on-Splunk, but that is because I have a personal prejudice about adding secondary packages like the third-party side utils SoS is dependent on. If you can frame a Splunk query, you can understand pretty much everything you need to from Splunks own "_*" indexes for yourself, and besides it is a good didactic exercise doing so and learning what you can find in there.)

Re: What resources are recommended if I've been made a Splunk administrator, but know very little about Splunk?

koppolu17 — Mon, 28 Dec 2015 22:23:45 GMT

I went through same phase with 1 hour introduction to Splunk by manager, he sent me an e-mail to access splunk web, logs locations related to oracle Middleware WebLogic SOA suite, database and operations document(runbook).
After that I came home and installed splunk 5. Read Splunk docs to understand it better.
Splunk quickly expanded all over the world.
Reading Splunk answers helped me a lot.