I've used Splunk a couple of times now and end up evangelizing for it whenever I can. At the same time, I end up feeling pretty ignorant about Splunk most of the time. I'm often stumbling across features or hearing about them as part of an answer to a question. Case in point: I was just told about xyseries and stumbled across cdata.
Searhing through the docs and splunkbase, the materials and commentary are these features (and others) is often pretty thin. The docs I do find are usually well written and accurate - but thin. Am I missing something obvious? There doesn't seem to be a book about Splunk anywhere and yet there are clearly people that know every nook and cranny of the product.
Is there some maximally efficient way to learn Splunk? I've never found digging through other people's examples to work very well for me. Hoepfully, there's a huge manual somewhere that I've managed not to see.
Thanks for any advice or suggestions.
This is an old thread but gets a lot of views, so for completeness, here's a newer post with some newer resources. https://answers.splunk.com/answers/372126/are-there-any-other-online-collections-of-splunk-s.html
Hi - Splunk can handle structured files, but that is not what it was designed for. Splunk was designed to handle large volumes of timestamped unstructured data, without a schema. As people apply Splunk to more & more use cases, needs like yours arise and Splunk is evolving to address a wider audience.
This community is hundreds of people who who are freely contributing their time to help others apply Splunk efficiently. Please let us know how we can help you.
And for the price you are paying, for the book and the help - it's a bargain!
The book misses the point that most Splunk documentation seems to be missing: the arcane art of importing data into Splunk.
Splunk seems to croak with simple CSV and TSV files, does not allow me any simple way (as even Excel does from 20 years ago) to indicate my column structure without the use of a dozen .cfg config files.
This is Chapter 2 in the book, a woeful half-attempt at anything useful. Merely asks us to download data from the book website and move on with "searching". Sorry, dear author, please spend a little time dealing with this in the next version.
I don't mind the sales pitch at all. While my main customer is a huge company in the US, I live in rural Australia. Sydney is about 6 hours away and Melbourne around 11 hours. A big town around here is anything around 9,000 people and up. So. I'm keen on on-line resources 😉 I would love to attend a Splunk conference if I can find the time and money.
Is anyone planning a Splunk book?
As far as finding new commands, listening to the SplunkTalk podcast even some of their long term SE's still stumble upon features they didn't know about. So I wouldn't be surprised to keep finding new commands, even though it's 4.x it's still a fast moving product. I've always thought their docs were pretty complete and as long as I didn't go in expecting it to mean something it's been pretty clear as well.
I am a Splunk instructor, so I am biased. We offer great online classes with live instructors & hands-on labs. See Splunk Education http://www.splunk.com/view/education/SP-CAAAAH9
Both the Using Splunk class & the Searching and Reporting class are packed with Splunk features and commands
There are also videos; most are short, so they can only get into one topic at a time. http://www.splunk.com/videos
Another free resource is Splunk Live; we have events around the country. They usually have informal training from a splunk expert
Finally, attend Splunk .conf in Las Vegas September 2012!