Module 1: Splunk Admin Basics
• Identify Splunk components

Module 2: License Management
• Identify license types
• Understand license violations

Module 3: Splunk Configuration Files
• Describe Splunk configuration directory structure
• Understand configuration layering
• Understand configuration precedence
• Use btool to examine configuration settings

Module 4: Splunk Indexes
• Describe index structure
• List types of index buckets
• Check index data integrity
• Describe indexes.conf options
• Describe the fishbucket
• Apply a data retention policy

Module 5: Splunk User Management
• Describe user roles in Splunk
• Create a custom role
• Add Splunk users

Module 6: Splunk Authentication Management
• Integrate Splunk with LDAP
• List other user authentication options
• Describe the steps to enable multifactor authentication in Splunk

Module 7: Getting Data In
• Describe the basic settings for an input
• List Splunk forwarder types
• Configure the forwarder
• Add an input to UF using CLI

Module 8: Distributed Search
• Describe how distributed search works
• Explain the roles of the search head and search peers
• Configure a distributed search group
• List search head scaling options

Module 9: Getting Data In – Staging
• List the three phases of the Splunk Indexing process
• List Splunk input options

Module 10: Configuring Forwarders
• Configure Forwarders
• Identify additional Forwarder options

Module 11: Forwarder Management
• Explain the use of deployment management
• Describe Splunk Deployment Server
• Manage forwarders using deployment apps
• Configure deployment clients
• Configure client groups
• Monitor forwarder management activities

Module 12: Monitor Inputs
• Create file and directory monitor inputs
• Use optional settings for monitor inputs
• Deploy a remote monitor input

Module 13: Network and Scripted Inputs
• Create network (TCP and UDP) inputs
• Describe optional settings for network inputs
• Create a basic scripted input

Module 14: Agentless Inputs
• Creating Windows Management Instrumentation (WMI) inputs
• Describe HTTP Event Collector

Module 15: Fine Tuning Inputs
• Understand the default processing that occurs during input phase
• Configure input phase options, such as sourcetype fine-tuning and character set encoding

Module 16: Parsing Phase and Data
• Understand the default processing that occurs during parsing
• Optimize and configure event line breaking
• Explain how timestamps and time zones are extracted or assigned to events
• Use Data Preview to validate event creation during the parsing phase

Module 17: Manipulating Raw Data
• Explain how data transformations are defined and invoked
• Use transformations with props.conf and transforms.conf to:
• Mask or delete raw data as it is being indexed
• Override sourcetype or host based upon event values
• Route events to specific indexes based on event content
• Prevent unwanted events from being indexed
• Use SEDCMD to modify raw data