Course Overview
This 9-hour course is designed for Splunk administrators. It covers topics and techniques for troubleshooting a standard Splunk distributed deployment using the tools available with Splunk Enterprise.
This lab-oriented class is designed to help you gain troubleshooting experience before attending more advanced courses. You will debug a distributed Splunk Enterprise environment using the live system.
This course does not cover the issues surrounding Splunk Cloud, Splunk Clusters, or Splunk premium apps.
Please note that this class may run over two days, with 4.5 hour sessions each day for nine hours of total content.
Who should attend
Splunk administrators.
Certifications
This course is part of the following Certifications:
Prerequisites
To be successful, students should have a solid understanding of the following modules:
- Splunk Fundamentals 1 (Retired)
- Splunk Fundamentals 2 (Retired)
Or the following single-subject modules:
- What is Splunk? (Retired)
- Intro to Splunk (ITS)
- Search Under the Hood (SUH)
- Scheduling Reports & Alerts (SRA)
- Visualizations (SVZ)
- Leveraging Lookups and Subsearches (LLS)
- Search Under the Hood (SUH)
- Intro to Knowledge Objects (IKO)
- Creating Knowledge Objects (CKO)
- Creating Field Extractions (CFE)
- Enriching Data with Lookups (EDL)
- Data Models (SDM)
Student should also have completed the following modules:
Course Objectives
- Splunk Troubleshooting Methods and Tools
- Indexing Problems
- Input Configuration Problems
- Deployment Problems
- License, Upgrade, and User Management Problems
- Search Management Problems
- User Search Problems
Outline: Troubleshooting Splunk Enterprise (TSE)
Module 1 – Splunk Troubleshooting Methods and Tools
- Describe the Splunk Troubleshooting Approach
- List Splunk Diagnostic Resources and Tools
- Create and Splunk a Diag
- Use RapidDiag
Module 2 – Indexing Problems
- Discover Splunk Deployment Topology and its Server Roles
- Identify Where to Check the Index-Time Pipeline Status
- Use the metrics.log to Clarify the Index-Time Problem
Module 3 – Input Configuration Problems
- Data Input Issues
- Troubleshooting Inputs with the Monitoring Console
Module 4 – Input Configuration Problems
- Deployment Server Issues
- Forwarding and Receiving Issues
Module 4 – Indexer Cluster Management Administration
- Peer Offline and Decommission
- Master App Bundles
- Indexer Cluster Storage Utilization Options
- Site Mapping
- Monitoring Console for Indexer Cluster Environment
Module 5 – License, Upgrade, and User Management Problems
- Installation Issues
- Upgrade Considerations
- Splunk Licensing Issues
- Splunk Roles and User Management Issues
Module 6 – Search Head Management Problems
- Troubleshoot Distributed Search Issues
- Identify Job Scheduling Problems
- Learn to Diagnose Crashing Problems
- Describe How to Prioritize Resources for Critical Splunk Processes
Module 7 – KV Store Collection and Lookup Management
- Identify the Types of Search Problems
- Isolate and Troubleshoot Search Problems