Introduction
Many of my Students have been asking me questions on how to move on with Splunk after taking the preliminary courses (and/or certifications). This is understandable and has continuously proven to be a major subject that needs to be discussed upfront. I thought it wise to put together this blog containing information on what I know and the best guidance I can provide.
How did you know about Splunk? The answer to this question has a direct relationship to how long it may take for you to gain the right experience and become a Splunk expert.
Let's take some real world cases that relate to how you may have gotten your first exposure in Splunk:
Case 1:
Today Splunk is heavily used in Cybersecurity as a SIEM (Security Information & Event Management). Splunk has an enhanced solution known as Splunk Enterprise Security which is Splunk's SIEM solution. Splunk Enterprise Security is just another app and you can't use it without an existing Splunk Enterprise instance or deployment. Enterprise Security has been mostly confused with Splunk in general due to its extensive use in the Cybersecurity domain. I have seen Splunk being defined as a SIEM. Yes Splunk Enterprise Security is a SIEM but Splunk in general has use cases beyond the Cybersecurity domain. With Splunk, you can index and analyze any data from any source, not just Security related data. They are also other enhanced solutions for different use cases such as Splunk ITSI (IT Service Intelligence) and Splunk SOAR (Security Orchestration, Automation, & Response). You can't gain experience on any of these enhanced solutions alone to ultimately become a Splunk Expert.
Case 2:
A lot of employees working with companies that use Splunk are generally faced with the task of analyzing data from their domain of expertise. This analysis sometimes requires learning/using complex SPL (Splunk Search Processing Language) queries to get insights from your data. Do you become a Splunk expert by just using different SPL commands? This is one that resonates really well with me personally as I've been down this road. My simple answer is "No" even though I do really well with domain data sources and still currently consider myself one of the best in SPL. You could download the Splunk search manual and try to understand all the SPL commands, possibly using some on your data. But this looks almost an endless journey because even some of the best Splunk experts still learn and use new (or variants of existing) SPL commands when faced different data sources. The real issue here is the knowledge gap in understanding the capabilities of the platform and putting them into use. SPL is just an aspect of it that you'll continuously learn in your Splunk journey. For example, understanding and creating knowledge objects such as alerts, reports, lookups, dashboards, data models, etc., gives you the ability to put the platform into proper use.
Case 3:
What about someone who has no prior knowledge of the Splunk platform? Maybe they never even installed a Splunk instance or had a chance to login to one. Maybe your Company just purchased Splunk or you're generally interested in data analytics with the Splunk platform, or you graduated from School and have some background in data analytics or say Cybersecurity. Do they just watch a few Splunk videos and start considering themselves experts? That's entirely possible when there's a gap in understanding the power of the Splunk platform and the journey it takes to become an actual expert.
They might be other possible scenarios but if you're on this page, it's because you're interested in growing your knowledge and/or experience in Splunk to ultimately become a Splunk expert. Below are the 6 steps I'll recommend.
1. Gain Foundational Knowledge:
A lot of people get excited about documenting their knowledge and will attempt to take Splunk certifications with very little exposure. This might be ok for people with knowledge and experience with the Splunk platform. It's also common to find Splunk users who work with the Web UI, Enterprise Security or other enhanced solutions for years without ever installing their own Splunk instance, understand what kind of deployment they work on, what Splunk components they're connected to, how the data gets into Splunk etc. Most importantly, Splunk is governed by configuration files but it's common to find certified Splunk Users with no understanding of the the backend, location and syntax of configuration files and how they relate to Splunk Web. Foundational knowledge touches on all the different important aspects of Splunk at a high level. This includes content such as Splunk Components, deployment, installation, ways to use and administer Splunk, SPL etc. Having this knowledge before you embark on certifications is extremely important for people with little or no exposure.
Don't be caught in the web of short videos or courses with exciting titles. For example, a 2-4 hour course to become a Splunk Power User, Admin, Expert, etc. Based on my experience with Splunk, this is not possible. You can't become a Splunk expert by trying to run faster than your shadow. Are you going to gain some knowledge from courses or videos like these? Certainly yes but it's very incomplete and volatile knowledge. You can find Splunk's official online documentation at docs.splunk.com or checkout Splunk's online course catalog. Take a peek and you'll probably have an understanding of why I'm making this point. This is in no way saying that Splunk is very tough and difficult to understand. I just think a concept based approach from the foundational concepts works best. You start building a house by having a foundation and you continue building in smaller steps. This way you end up with a structure that's sustainable and will last a lifetime. That's the approach I'm trying to introduce, and this is all based on my experience with Splunk.
This is what motivated the creation of RylKim Solution's Complete Splunk Essentials Course on Udemy and RylKim Solution's Youtube Channel with free videos of foundational Splunk concepts. Note that there's a lot of information on Splunk's online documentation at docs.splunk.com. So if you're willing to gain some foundational knowledge to kick up your Splunk journey, you have all it takes to get started.
2. Take Splunk User Certifications:
Never underestimate the power of Splunk Certifications. This is a lesson I learnt the hard way. I was originally the type of Splunk user who won't certify because I believed in my experience. The real problem is that I actually believed in incomplete knowledge of the Splunk platform. I struggled to complete basic tasks and often used unnecessarily complicated methods due to lack of knowledge. For example, you're already using SPL on data to which another Splunk user has already associated meaning to get field/values pairs. You have no knowledge that you could actually associate the meaning yourself through field extractions and enrichments. Or you have a new Splunk user willing to create comprehensive reports on your domain data source but lack knowledge of Splunk SPL. You have no idea that you could actually create a data model with the underlying data source and have the user create reports and dashboards through the easy-to-use pivot interface.
So after establishing your foundation, you cannot build your house on a single or just a few pillars. This is generally what happens when you only want to learn through experience; you're more focused on one or a few aspects that help complete your tasks. Someone with the right knowledge through certifications turns to grow faster. They're more adaptable, and comfortable discussing different topics and are the ideal Splunk users to take lead because they have all-round knowledge. Secondly most of the things you'll do with your domain data as a Splunk user is about conception and implementation. This is very difficult to achieve without the right knowledge of the Splunk platform.
Splunk user certifications are limited to the Splunk Web User Interface, one of key reasons why having foundational knowledge (discussed in point 1) is important. These certifications are meant to help Splunk Users gain the knowledge required to get insights from domain data through analysis, search, visualizations, etc. Below is some high level information about the 3 Splunk User Certifications:
Splunk Core Certified User: This Certification has no pre-requisites and is generally recommended for people with no knowledge and experience with the Splunk platform. However, I'll advise people with no knowledge and experience to get foundational knowledge of the Splunk platform (point 1) before taking this Certification. For example, Splunk installation is not part of the blueprint for this Certification. However, you might need to do some practice on a Splunk instance. Gaining the foundational knowledge makes it easy for you to understand the topics in the Certification blueprint. Our Splunk Core Certified User Course is currently one of the best rated premium Splunk Courses on Udemy. You can also download a free copy of sample exam questions and answers here.
Splunk Core Certified Power User: This is an absolute must for anyone interested in growing their knowledge and experience through Splunk Certifications. The power user certification is a prerequisite to multiple professional and expert certifications. It's the bridge you have to cross to become a Splunk expert. Most of the time, employers interested in validating Splunk skills will require this certification at the very least. I'll recommend taking the Splunk Core Certified Power User Certification after passing the Splunk Core Certified User. Note however that the Splunk Core Certified User Certification is not a pre-requisite but highly recommended as my interest is guiding you towards becoming a Splunk expert.
We have created an all-in-one Splunk Core Certified Power User Course with concept based comprehensive course lessons including exam tips (with answers), as well as quizzes and practice tests to make it easy to pass the Splunk Core Certified Power User exam. The lessons also follow the exam blueprint to ensure complete coverage of the exam material. It's organized not only to help pass the exam but gain knowledge that can help you improve your experience as well as standout in job interviews through understanding of concepts.
Splunk Core Certified Advanced Power User: If you want to enhance your Splunk user skills, you can take this Certification. For me it's not an absolute must at this point, but if you're planning to become a Splunk Core Certified Consultant, then you'll have to take it at some point. You can grow to the point of becoming a Splunk Certified Architect without requiring the Advanced Power User Certification. However, if you're not interested in administering a Splunk deployment and only want to become an advanced Splunk user, then you should should take the Splunk Advanced Power User exam.
Reference Splunk Certifications for more details.
3. Put your Knowledge into Use:
Knowledge is volatile without practice, mistakes, repetition, questions. To get to the next level with Splunk, you have to put the knowledge gained via User Certifications into practice. You may already be an employee with a company using Splunk and after these certifications, you'll realize how much more you can do with your data. But you really have to challenge yourself and put that knowledge into practice. Even if you have your own Splunk instance, they're multiple data repositories online that you can download for example csv format data and index (upload) into Splunk for practice. In our courses, we also generated some data using the eventgen app. You can develop other use cases around this data to put your knowledge into practice. If you work in an environment where you have the ability and permissions to work as a Splunk admin, I'll advise you use the opportunity without delay.
How important are these Certifications to people working exclusively with Splunk Enhanced Solutions such as Splunk Enterprise Security (SIEM), ITSI, SOAR? Splunk Enterprise Security (SIEM) works on the the basis of searches (known as correlation searches) running on accelerated data models, looking for any indicators of threats, vulnerabilities, attacks. The results are ultimately displayed on one or more dashboards where analysts can investigate incidents and take appropriate action. Data models (and acceleration) are covered under the power user exam. Enterprise Security also uses the Common Information Model (CIM) to normalize data from security sources into a common standard. CIM is also covered under the power user exam. Reports and Dashboards are covered under the Splunk user exam. Assets and Identities are based on lookup tables, covered under the Splunk User exam. And I can keep going. This is just to say you have more understanding, control and leadership working with SIEM when you gain knowledge and experience from preliminary Splunk Certifications.
4. Learn how to Administer a Splunk Deployment
If you're only interested in analyzing your domain data, this may not matter to you. However, if you want to have the skills required to administer a Splunk deployment and support other Splunk users, then you have to take Splunk Admin Certifications. I've hardly spoken with any one who tells me they're not interested in becoming a Splunk admin. Splunk Certified Administrators have a good chance of getting jobs as Splunk Admins, Engineers, or even Architects. Below is some high level information about Splunk Admin Certifications.
Splunk Enterprise Certified Admin: Relates to Splunk deployed on premises. Take this Certification if your goal is to manage a Splunk Enterprise deployment on a daily basis. This is one of the most sought after certifications in the job market. Typical for companies that have acquired Splunk and need employees who can administer the deployment and support other Splunk Users.
Splunk Cloud Certified Admin: Relates to Splunk deployed in Cloud. Take this Certification if your goal is to administer Splunk Cloud on a daily basis.
I know they might be some confusion on which one to take, or take both? My advice will be to take the Splunk Enterprise Certified Admin first. Even with this, I think you can still get a job with the Cloud deployment and adapt quickly. You'll see the need to take the Cloud Certification as you grow in experience but you can take it if it's necessary for your role. Secondly the expert level Certifications (covered below) in Splunk are on the basis of Splunk Enterprise and will require Splunk Enterprise Certified Admin as a pre-requisite.
Reference Splunk Certifications for more details.
5. Certifications for Enhanced Solutions:
If you work exclusively with SIEM, you might want to take the Splunk Enterprise Security Certified Admin Certification. Note that this Certification has no pre-requisites but I'll recommend taking the Splunk Enterprise Certified Admin Certification before this one. Same thing applies to ITSI and SOAR Certifications.
6. Become a Splunk Expert!!!
People with expert level certifications get some of the most high profile jobs in Splunk. Most of the Certifications already discussed, count as pre-requisites. Splunk offers two expert level Certifications. Both exams are on the basis of Splunk Enterprise.
Splunk Enterprise Certified Architect: Architects use best practices to plan, size deployments, collect data and get involved with troubleshooting and management. So they'll typically get into the work flow even before Splunk is deployed. Pre-requisite exams:
Splunk Core Certified Power User
Splunk Enterprise Certified Admin
Splunk Core Certified Consultant: This is the highest expert level Certification under Splunk Enterprise. Gain expert knowledge on how to deploy and implement large Splunk installations. Advanced understanding of multi-tier Splunk architectures, clustering and scalability. Pre-requisite exams:
Splunk Core Certified Power User
Splunk Core Certified Advanced Power User
Splunk Enterprise Certified Admin
Splunk Enterprise Certified Architect
Reference Splunk Certifications for more details.
Hope this was helpful. If you have any questions or require additional information, please submit below.
Comentários