Splunk Training Authorised Partner Ingeniq

Splunk Enterprise System Administration

The Splunk Enterprise System Administration course is designed for system administrators who are responsible for managing the Splunk Enterprise environment.


The Splunk Enterprise System Administration course provides fundamental knowledge of Splunk license manager, indexers and search heads. It covers configuration, management and monitoring core Splunk Enterprise components.

Units : 2
Duration : 9 hours over 2 days
Time : 9:00 am – 1:30 pm AEST (GMT +10)

*Course discounts apply for Splunk Partners. Please use the currency convertor above to check for course pricing in your local currency.

Splunk Enterprise System Administration

One of the best trainers I've had - keeps content relevant & explains the tasks in easily understood language. Extremely knowledgeable in all fields relating to the content. Well paced & accommodated to everyone's questions & progress.

Participant, Splunk Enterprise Data Administration

Splunk Enterprise System Administration
Splunk Enterprise System Administration - Course Topics
  • Splunk Deployment Overview

  • License Management

  • Splunk Apps

  • Splunk Configuration Files

  • Users, Roles, and Authentication

  • Getting Data In

  • Distributed Search

  • Introduction to Splunk Clusters

Splunk Enterprise System Administration - Audience

Anyone within a technical role who is involved in the management of Splunk within their organisation or are looking to become Splunk certified. Previous attendees have included IT Administrators, DevOps, Security Analysts and Solution Architects.

After completing Splunk Enterprise System Administration course you will be able to
  • Build and manage a production Splunk environment

  • Administer licences

  • Install and configure forwarders

  • Understand the basics of getting data into Splunk

  • Maintain and optimise indexes

  • Create and manage users & roles

  • Understand Splunk scaling using distributed search and management

Splunk Enterprise System Administration
Splunk Enterprise System Administration - Course Objectives

Module 1 – Splunk System Overview

  • Splunk overview

  • Identify Splunk components

  • Identify Splunk system administrator role

Module 2 – License Management

  • Identify license types

  • Describe license violations

  • Add and remove licenses

Module 3 - Splunk Apps

  • Describe Splunk apps and add-ons

  • Install an app on a Splunk instance

  • Manage app accessibility and permissions

Module 4 - Splunk Configuration Files

  • Describe Splunk configuration directory structure

  • Understand configuration layering process

  • Use btool to examine configuration settings

Module 5 - Splunk Indexes

  • Describe index structure

  • List types of index buckets

  • Create new indexes

  • Monitor indexes with Monitoring Console

Module 6 – Splunk Index Management

  • Apply a data retention policy

  • Backup data on indexers

  • Delete data from an index

  • Restore frozen data

Module 7 – Splunk User Management

  • Describe user roles in Splunk

  • Create a custom role

  • Add Splunk users

Module 8 – Splunk Authentication Management

  • Integrate Splunk with LDAP

  • List other user authentication options

  • Describe the steps to enable Multifactor Authentication in Splunk

Module 9 – Getting Data In

  • Describe the basic settings for an input

  • List Splunk forwarder types

  • Configure the forwarder

  • Add an input to UF using CLI

Module 10 – Distributed Search

  • Describe how distributed search works

  • Explain the roles of the search head and search peers

  • Configure a distributed search group

  • List search head scaling options

Module 11 – Introduction to Splunk Clusters

  • Introduction to Splunk clustering concepts

Splunk Course Schedules and Timezones

Ingeniq Course are delivered live and in English and provide access to customers spanning multiple timezones.

Dates and times displayed for each course are relative to Australian Eastern Time (AET).

AM Marked Splunk Courses

AM marked courses start at AET 9:00am and finish at AET 1:30pm (4.5 hour sessions over 1 or more days) and are optimal for customers in the following countries and areas;

  • UTC+10 including Australia (East Coast)

  • UCT+11/+12 including New Zealand and the Pacific Islands

  • UTC-8 including USA (West Coast), Canada (West Coast)

  • UTC-7 including USA (Mid West)

PM Marked Splunk Courses

PM marked courses start at AET  2:00pm and finish at AET 6:30pm (4.5 hour sessions over 1 or more days) and are optimal for customers in the following countries and areas;

  • UTC+9 including Japan, Korea

  • UTC+8 including Australia (West Coast), Singapore, Hong Kong, China, Philippines, Brunei, Thailand

  • UTC +5/+6 including India and Sri Lanka

Splunk Enterprise System Administration - Upcoming Courses