#Splunk

Last updated    - V4 (14-Sep-2025)

Level	Topic	Subtopics
Basic	Introduction to Splunk	What is Splunk, Features, Architecture, Editions, Use Cases
	Splunk Components	Forwarders, Indexers, Search Heads
	Data Ingestion Basics	Input types, Data sources, Formats
	Splunk Search Language (SPL) Basics	Search commands, Syntax, Keywords
	Indexing	Index creation, Data retention, Index types
	Fields & Field Extraction	Default fields, Extracting fields, Regex
	Event Types	What are events, Event metadata, Event examples
	Knowledge Objects	Saved searches, Event types, Tags
	Dashboards Basics	Simple dashboards, Panels, Charts
	Splunk Documentation & Tools	Splunk Docs, Apps, Add-ons
Intermediate	Advanced Search Commands	stats, timechart, chart, top, rare, eval
	Data Parsing & Transforming	Transforms.conf, Props.conf, Data normalization
	Lookup Tables	Static lookups, Automatic lookups, KV Store lookups
	Field Aliases	Field renaming, Best practices
	Tags & Event Types	Custom tags, Event categorization
	Alerts & Scheduled Searches	Creating alerts, Trigger actions, Scheduled searches
	Splunk Apps & Add-ons	Installing apps, Using add-ons, Marketplace
	Data Models & Pivots	CIM, Pivot interface, Accelerated data models
	Search Macros	Macro creation, Usage, Parameters
	Regular Expressions	Extracting data, Named captures, Best practices
Advanced	Indexing Internals	Index structure, Buckets, Indexing pipelines
	Data Retention Policies	Frozen data, Retention settings, Archiving
	Performance Tuning	Search optimization, Index optimization, Best practices
	Splunk Clustering	Indexer clustering, Search head clustering, Deployment scenarios
	Distributed Search	Search head pooling, Search affinity, Load balancing
	Advanced Dashboards & Visualizations	Dynamic panels, Drilldowns, Advanced charts
	Splunk REST API	API endpoints, Authentication, Examples
	Security & Access Control	Roles, Users, Authentication methods
	Event Correlation	Correlation searches, Use cases
	Splunk Enterprise Security	ES app, Notable events, Incident review
Expert	Splunk Architecture Deep Dive	Indexer internals, Forwarder types, Queue handling
	Custom Apps & Add-ons	App development, Splunk SDKs, Deployment
	Advanced Field Extraction	Regex optimization, Field aliases, Multi-line events
	Splunk Deployment Strategies	Single vs Multi-site, Best practices
	Troubleshooting Splunk	Log analysis, Common errors, Debugging techniques
	Data Model Acceleration	CIM compliance, Acceleration techniques
	Machine Learning Toolkit (MLTK)	Installing MLTK, Using algorithms, Predictive analytics
	Splunk IT Service Intelligence (ITSI)	KPIs, Glass tables, Service monitoring
	Splunk Observability Cloud	APM, Metrics, Infrastructure monitoring
	Future Trends & Best Practices	Cloud-native Splunk, AI integration, Performance tuning

1. Fundamentals

1. What is Splunk and what are its main features?
2. Explain the Splunk architecture.
3. What are the different Splunk editions?
4. What is the difference between indexers, forwarders, and search heads?
5. What is a forwarder in Splunk?
6. What are the types of forwarders?
7. How does Splunk ingest data?
8. What are events in Splunk?
9. Explain Splunk buckets and their types.
10. How do you search data in Splunk?
11. What is SPL (Search Processing Language)?
12. How do you create a basic search query?
13. What are fields in Splunk?
14. How do you extract fields?
15. What are tags and event types?
16. What is a knowledge object?
17. How do you create saved searches?
18. What is a dashboard in Splunk?
19. What is the role of Splunk apps and add-ons?
20. How do you monitor Splunk logs?
21. What is Splunk Data Models?
22. What are lookup tables in Splunk?
23. What is the difference between Splunk Free vs Enterprise?
24. What are common use cases of Splunk?
25. How does Splunk handle large data volumes?

---

2. Searching & Reporting

1. How do you use the stats command in Splunk?
2. How do you use the timechart command?
3. What is the eval command used for?
4. How do you filter results using where?
5. How do you count unique events?
6. How do you sort data in Splunk search?
7. How do you use top and rare commands?
8. What is the difference between table and fields commands?
9. How do you create macros in Splunk?
10. How do you use the rex command?
11. How do you perform regular expression searches?
12. How do you create alerts from search results?
13. What is the difference between scheduled and real-time searches?
14. How do you perform subsearches?
15. How do you join data from multiple indexes?
16. How do you create summary indexes?
17. What are lookup tables and how are they used in searches?
18. How do you use workflow actions in Splunk?
19. How do you create drilldowns in dashboards?
20. How do you visualize search results using charts?
21. How do you implement conditional evaluation in searches?
22. How do you handle large search results?
23. How do you extract multi-line events?
24. How do you track failed searches?
25. How do you optimize search performance?

---

3. Indexing & Data Management

1. How is data indexed in Splunk?
2. What are hot, warm, cold, and frozen buckets?
3. How do you configure retention policies?
4. What is the role of props.conf and transforms.conf?
5. How do you handle timestamp extraction?
6. How do you manage sourcetypes?
7. How do you manage host, source, and index fields?
8. What is data normalization?
9. How do you perform data transformations?
10. How do you handle duplicate events?
11. What are common indexing errors and how do you troubleshoot them?
12. How do you monitor indexing performance?
13. How do you scale indexing for high-volume data?
14. What is the difference between event-based and metric-based indexes?
15. How do you archive frozen data?
16. How do you import external CSV or JSON files?
17. How do you handle structured vs unstructured data?
18. How do you configure inputs for forwarders?
19. How do you monitor ingestion queues?
20. How do you manage multiple indexes?
21. How do you enforce data retention compliance?
22. How do you detect data anomalies during indexing?
23. How do you troubleshoot slow indexing issues?
24. How do you set up indexer clustering?
25. How do you perform index recovery?

---

4. Security & Administration

1. How do you manage users and roles in Splunk?
2. What are Splunk capabilities?
3. How do you configure role-based access control (RBAC)?
4. How do you secure Splunk deployment?
5. How do you implement SSL/TLS in Splunk?
6. How do you configure single sign-on (SSO)?
7. What are authentication methods in Splunk?
8. How do you audit user activity?
9. How do you monitor Splunk logs for security?
10. How do you manage tokens and API keys?
11. How do you implement alert actions securely?
12. How do you limit access to indexes?
13. How do you monitor license usage?
14. What are best practices for Splunk administration?
15. How do you perform backup and restore?
16. How do you troubleshoot user login issues?
17. How do you configure data encryption at rest?
18. How do you monitor deployment health?
19. How do you maintain high availability?
20. How do you upgrade Splunk safely?
21. How do you configure clustering for security?
22. How do you monitor and alert on system metrics?
23. How do you implement compliance audits?
24. How do you manage large-scale deployments?
25. How do you ensure disaster recovery readiness?

---

5. Dashboards & Visualization

1. How do you create a dashboard in Splunk?
2. What are panels and how do you use them?
3. How do you use charts and graphs?
4. How do you implement drilldowns in dashboards?
5. How do you use dynamic dropdowns?
6. How do you add real-time search panels?
7. How do you use CSS and Simple XML in dashboards?
8. How do you create advanced visualizations?
9. How do you use custom tokens?
10. How do you schedule dashboard refresh?
11. How do you embed dashboards in web pages?
12. How do you use single-value visualizations?
13. How do you create geospatial visualizations?
14. How do you apply conditional formatting?
15. How do you link dashboards together?
16. How do you optimize dashboard performance?
17. How do you create multi-panel dashboards?
18. How do you filter dashboards by tokens?
19. How do you implement drill-through dashboards?
20. How do you create scatter plots and heatmaps?
21. How do you use advanced charting libraries?
22. How do you create dynamic tables?
23. How do you visualize log trends over time?
24. How do you manage dashboard permissions?
25. How do you troubleshoot slow dashboards?

---

6. Splunk Enterprise Security (ES) & ITSI

1. What is Splunk Enterprise Security (ES)?
2. What are notable events in ES?
3. How do you create correlation searches?
4. How do you configure risk scores?
5. What are key performance indicators (KPIs) in ITSI?
6. How do you use service monitoring in ITSI?
7. What is a glass table?
8. How do you configure thresholds in ES?
9. How do you integrate threat intelligence?
10. How do you configure adaptive response actions?
11. How do you manage ES data models?
12. How do you perform incident review?
13. How do you configure ITSI episodes?
14. How do you customize notable event aggregation?
15. How do you implement risk-based alerting?
16. How do you use machine learning in ES?
17. How do you integrate ES with SOAR tools?
18. How do you monitor service health in ITSI?
19. How do you configure key metrics for services?
20. How do you manage ES add-ons?
21. How do you create custom ES dashboards?
22. How do you tune ES correlation searches?
23. How do you handle ES data from multiple sources?
24. How do you configure incident prioritization?
25. How do you optimize ES performance?

---

7. Advanced Topics & Troubleshooting

1. How do you troubleshoot slow searches?
2. How do you optimize SPL queries?
3. How do you monitor forwarder performance?
4. How do you handle high-volume ingestion issues?
5. How do you troubleshoot indexer failures?
6. How do you resolve licensing issues?
7. How do you monitor CPU and memory usage in Splunk?
8. How do you identify bottlenecks in distributed search?
9. How do you troubleshoot dashboard performance issues?
10. How do you monitor Splunk deployment health?
11. How do you handle data duplication issues?
12. How do you manage multi-site Splunk deployment?
13. How do you debug custom apps and add-ons?
14. How do you monitor and alert on search latency?
15. How do you use REST API for troubleshooting?
16. How do you manage indexer clustering issues?
17. How do you perform proactive capacity planning?
18. How do you handle hot and cold bucket issues?
19. How do you optimize KV store performance?
20. How do you configure distributed caching?
21. How do you implement Splunk Observability Cloud features?
22. How do you debug field extraction issues?
23. How do you monitor and optimize alert execution?
24. How do you integrate Splunk with external monitoring tools?
25. How do you stay updated with Splunk best practices?