Avoiding a “Train” Wreck: Getting the Most Out of Splunk
by Scott Anderson, on Jul 8, 2016 10:43:27 AM
In a bit of a departure from our recent technical blog posts, I’d like to focus instead on getting the best value out of your Splunk investment. Many times, most of the effort is concentrated on getting data into Splunk with little regard to what end users need to know in order to use it and what administrators need to know to configure and maintain it properly. Today’s topic in a word: training.
GTRI has seen firsthand what happens when Splunk users are not adequately trained. More than once, our Professional Services team has found itself onsite only to find the first task is to provide basic Splunk training on terminology and concepts. Training at enterprise level professional services rates is an expensive undertaking.
The simple reality is it is not possible to maintain and leverage Splunk effectively without a basic understanding of its architecture and search language. Unfortunately, this is not an infrequent occurrence. Inadequate understanding leads to systems with high maintenance costs, long searches and potentially inaccurate data, and could lead to this valuable tool languishing on your network.
Fortunately, a few hours of training go a long way to preventing these types of issues. Here is a quick rundown of various Splunk training options.
Splunk Certified Education is a good resource to provide users with instruction and hands-on lab training on a host of subjects. Course topics vary from operating the user interface to specifics about a particular app or activity. The courses that would benefit a user are highly dependent upon the role that user plays within the Splunk environment. A summary of recommended training is listed below. Note that this table only incorporates the basic level courses and there are many more available. The complete list can be found on the Splunk website at http://www.splunk.com/view/education/SP-CAAAAH9.
GTRI is one of just a few Splunk certified training centers in the United States. We use approved Splunk courseware for certified training. Our delivery options include virtual or onsite, public or private classes at your location or at our training center in Denver. We can also provide custom training pertaining to your environment to help you optimize your Splunk investment. You can learn more about GTRI’s Splunk training on the GTRI website.
Free Online Resources
While certified training is a simple way to bundle learning into a convenient block, it also requires the sometimes scarce resources of time and money. For the self-starter there are other avenues available which may require more effort, but can lead to a deeper understanding than a class lecture with step-by-step lab instructions.
Along with for-fee courses, Splunk currently provides three free e-learning courses:
- Splunk Tutorial: A basic overview of Splunk
- Building Add-ons: A look at creating apps that collect and process data
- Creating Modular Inputs: Instruction on enhancing the Data Inputs capabilities of the GUI
These free courses can be accessed from the Splunk Education page at the bottom of the right column (until they redesign the layout…).
Splunk provides extensive online documentation in several functional areas. The online documentation is laid out a bit differently than the certified courses but covers the same information. You will, of course, have to provide your own “lab” environment to experiment.
There are various options available online outside of Splunk including YouTube videos and webinars. In a shameless plug for my company, GTRI provides a free 2-hour Splunk Fundamentals virtual bootcamp with a hands-on lab to help jump start those that are interested in learning about Splunk. In addition, we also offer a Splunk for Security bootcamp for experienced users looking for an introduction to the Enterprise Security Premium App which also includes hands-on lab time. You can learn more about both bootcamps on our website.
Several topics are addressed by the user community at the Splunk Wiki ranging from troubleshooting to implementation details. Splunk has done a great job enabling and supporting Splunk’ers by providing documentation as well as enabling the partner and customer ecosystem. The overall ecosystem is very helpful and forthcoming with lessons learned, shortcuts, best practices and the like within this free and valuable resource.
This is not strictly a training resource, but more of a question and answer forum. However, much can be learned about specific topics if you care to mine Splunk Answers for information. While perusing its contents, be aware that some entries are dated and may not be relevant to your version of Splunk. Still, it’s a valuable resource for specific topics.
“Just Try It”
One of the great things with the Splunk platform is that it is freely available for 500 MB a day. If you want to jump in and get your hands dirty first, it’s easy to do with Splunk. Download Splunk and collect data on your own personal instance. While this does not provide good architectural or best practices experience, there is something to be said for learning it experientially. I frequently run into challenges that are not directly addressed in courses and this method helps me work through the issue. I would recommend augmenting it with another method, but I know I learn better when I am solving my own problems.
Splunk is a versatile platform for Operational and Security Intelligence. Ensuring that your team understands how to configure, maintain and use it effectively are the keys to getting value out of the platform. Regardless of your information source, having knowledgeable Splunk users is critical to keeping your environment in tune and operating efficiently.
Scott Anderson is a Big Data Consulting Architect in Professional Services at GTRI.