Security

splunk troubleshooting Training

pacifikn
Communicator

Greetings!!

Need your advice and opinions on the following points:

- What training can I take to master splunk admin troubleshooting issues and complete the admin training package,


- Is there a way to set or have a simulator that can help a team or someone to have a test environment to practice more on splunk troubleshooting and not the Live environment, is there any advice on this to still be able to play with the simulator or how to set up the test environment?

Kindly  need your advice on these, Thank you in advance.

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
Esteemed Legend

Hi @pacifikn,

about training, there are some free courses https://www.splunk.com/en_us/training/free-courses/overview.html , in addition I hint the Search Tutorial (https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchTutorial/WelcometotheSearchTutorial) that's very useful

In addition, you can find all the Splunk certification paths at https://www.splunk.com/en_us/training.html?sort=Newest

My hint is to follow the certification paths for Power User, then Admin and then eventually Architect, but you have to follow many courses!

No there isn't an environment to use for troubleshooting, you could create a test environment, as similar as possible to your production environment and use it for testing.

Ciao.

Giuseppe

View solution in original post

PickleRick
Ultra Champion

Well, the troubleshooting is often the most annoying part of any solution administration and is difficult to "teach". Mostly because troubleshooting is what you need to do when something goes not as it should which means that either the external environment does something you'd not expect or you yourself did something wrong (my "favourite" mistake - mistype "pass4SymmKey" as "pass4SymKey").

That's why troubleshooting expertise comes mostly with experience. Broad experience with various IT solutions helps as well.

Of course every IT soultion has its own "typical first steps" to troubleshooting which vary between the different solutions. In case of splunk it would probably be some simple checklist like: check your btool output, check your connectivity, trim your search...

But still you need to understand what you're troubleshooting. Otherwise you're not really troubleshooting as such but just performing a playbook.

So get your User/Admin training, start working with splunk and it will come. After you learn the basics of Splunk on an all-in-one installation, try doing a distributed environment install. After that add a mutual-TLS layer. Each of those add additional points where something can go wrong.

Just do it 🙂

0 Karma

gcusello
Esteemed Legend

Hi @pacifikn,

about training, there are some free courses https://www.splunk.com/en_us/training/free-courses/overview.html , in addition I hint the Search Tutorial (https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchTutorial/WelcometotheSearchTutorial) that's very useful

In addition, you can find all the Splunk certification paths at https://www.splunk.com/en_us/training.html?sort=Newest

My hint is to follow the certification paths for Power User, then Admin and then eventually Architect, but you have to follow many courses!

No there isn't an environment to use for troubleshooting, you could create a test environment, as similar as possible to your production environment and use it for testing.

Ciao.

Giuseppe

pacifikn
Communicator

Dear @gcusello ,

is there any guidance on how to create test environment step by step or you can advise me , here i think we'll use a single instance deployment?

- is it possible that you can do this test environment and work as production for free?

- what splunk enterprise and splunk enterprise security we can use for testing environment? free splunk enterprise is limited to 500MB only and i don't what to use so that you can do the test environment which can be similar to the production? what are I required to have?and how to do it? 

Kindly guide me on this, as i want to create test environment similar to the production?

Thank you in advance!!

 

 

Thank you

 

0 Karma

gcusello
Esteemed Legend

Hi @pacifikn,

there isn't any guideline for test environments because they are usually similar to the production environment to recreate the same conditions of the production environment: e.g. if you have an indexer cluster, you should have an indexer cluster also in the test environment, obviously with less storage, less resources and less clients.

If instead you're speaking of a development environment you can have also a stand alone server, or eventually also use your workstation, because Splunk Enterprise guarantees portability of applications.

To simulate load condition probably a free license isn't sufficient, so you should ask to Splunk a development license, for more infos see at 

https://docs.splunk.com/Documentation/Splunk/8.2.4/Admin/TypesofSplunklicenses#Splunk_developer_lice... 

https://dev.splunk.com/enterprise/dev_license/ 

https://splunkbase.splunk.com/develop/ 

https://www.splunk.com/en_us/resources/personalized-dev-test-licenses/faq.html 

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...