I am a reasonably clever, tech-savvy young man but by no means a genius. I am a very hard worker and I am planning on building upon my college degree by learning Splunk and making it my main niche of expertise for my future as a (big) data scientist. What would you suggest that a person with plenty of time and "enough" (maybe?) money should do to get really good at Splunk? Free is great but I am willing to pay if there are good programs that give excellent results, especially if it does so in a shorter amount of time (I am willing to pay for higher quality if it is considerably better than the free resources). If I was your son, how would you advise me to go about most effectively and efficiently becoming a Splunk expert? Thank you in advance for your advice!
There is no "easy" path to learning Splunk, many people have been working with Splunk for many years and still don't know it all, and it is a cumulation of trial and error, docs reading, and discussions with other Splunkers. My advice, not knowing your technical background, would be to suggest (if money is no problem) some of the basic Splunk classes (https://www.splunk.com/en_us/training.html ). This will give you an understanding of some of the basics. Then, find a use case and start using. Try things at scale. Spin up a few VMs and build a cluster.
Since you are an Intern at Splunxter, I would expect that you will have some opportunities to learn during engagements. Take notes. Lots of notes. Splunk is also one of the very few were RTFM goes a really long way. docs.splunk.com provide an excellent resource into most of the underpinnings of the software. Experiment and use it. Get a dev license (dev.splunk.com). Join a user group.
If you are at conf, you can find many knowledgeable people, and we will be more than happy to discuss even further with this topic. Email anytime.
I agree with all the above about a combination of the available training and just getting your hands dirty.
Specifically regarding searching and reporting: I'd strongly recommend that you attempt to find a complex but low priority use-case to practice how to dig through and manipulate the data. It seems every time my managers ask "Can Splunk do...?" I end up learning a dozen new things.
Use cases that I had a lot of fun learning from:
1) Required joining of one or more data-sets (example: Windows Security cross referenced with Active Directory information to determine events by business unit based on OU structure).
2) Needed the data to be manipulated in some way (example: a table of a count of events, possibly by multiple values, with associated totals and percentages of totals)
3) Required handling large volumes of data that were more efficiently pre-processed in summary tables.
I agree with the above posters. You need to download and install Splunk and start getting your hands dirty.
The classes at education.splunk.com are very helpful. Using Splunk can be basic depending on how much you have played with Splunk in the past, but Searching & Reporting, Creating Knowledge Objects, and Administering Splunk were excellent reviews of a lot of the core functionality. Additionally, the SnR and Knowledge Objects courses can be taken as an e-learning (online, virtual) course.
In addition, you can download the Exploring Splunk book for free.
To provide some additional information to supplement alacer's excellent advice:
There is no "easy" path to learning Splunk, many people have been working with Splunk for many years and still don't know it all, and it is a cumulation of trial and error, docs reading, and discussions with other Splunkers. My advice, not knowing your technical background, would be to suggest (if money is no problem) some of the basic Splunk classes (https://www.splunk.com/en_us/training.html ). This will give you an understanding of some of the basics. Then, find a use case and start using. Try things at scale. Spin up a few VMs and build a cluster.
Since you are an Intern at Splunxter, I would expect that you will have some opportunities to learn during engagements. Take notes. Lots of notes. Splunk is also one of the very few were RTFM goes a really long way. docs.splunk.com provide an excellent resource into most of the underpinnings of the software. Experiment and use it. Get a dev license (dev.splunk.com). Join a user group.
If you are at conf, you can find many knowledgeable people, and we will be more than happy to discuss even further with this topic. Email anytime.
If I have answered your question, please accept the answer. Thanks!
I was leaving it unanswered for a while to get more interest. Thank you.
Well said. I'd like to add that by being on Answers you're in the right place. You should also join us in Splunk's community Slack (http://splk.it/slack) or both. Slack is an incredible tool, no question is too basic and there are hundreds of users willing to help.
Just being a fly on the wall in Slack will net you some big help. Start asking questions, we're very welcoming.