In this lecture, you will get a complete introduction to Splunk, including what it is, how it works, and why it is widely used for log management, monitoring, security, and operational intelligence. The session explains Splunk’s core use cases, products, and key architecture components such as forwarders, indexers, and search heads.

You will also learn, step by step, how to download Splunk Enterprise and the Universal Forwarder by selecting the correct operating system and architecture. This lecture is designed for beginners and helps you understand both the concepts and the practical setup required to start working with Splunk in real-world environments.

In this lecture, you will explore the Splunk Web Graphical User Interface (GUI) and learn how to navigate the Splunk Enterprise platform with confidence. The session walks through accessing the Splunk Web interface, understanding the home page layout, and using key components such as apps, the sidebar, menus, and settings.

You will learn how to add data, run basic searches, visualize results, manage users, and customize the interface to suit your workflow. This lecture is designed to help both beginners and administrators become comfortable using Splunk’s dashboard and core features in real-world environments.

In this lecture, you will learn how to search and analyze data using Splunk’s Search & Reporting interface. The session explains how the search bar works, how to select appropriate time ranges, and how Splunk processes search queries to return meaningful results.

You will explore basic search techniques, understand how to filter and organize events, and view results in tables and visual formats. This lecture helps beginners build confidence in searching data effectively while laying the foundation for advanced SPL, dashboards, and alerts in later sections.

In this lecture, you will explore the different ways to get help while working with Splunk. The session covers Splunk’s built-in Help menu, official documentation, Splunk Answers community, IRC channels, Splunk Support portal, and Splunkbase.

You will learn how and when to use each resource for troubleshooting issues, learning new features, finding SPL examples, and extending Splunk functionality. This lecture helps you become more confident and independent when working with Splunk in real-world environments.

In this lecture, you will learn how Splunk licensing works and how licenses are calculated based on daily data ingestion. The session explains the different types of Splunk licenses, including the Free License, Developer License, and Enterprise License, and when each one should be used.

You will also learn how to obtain a free Splunk license for learning and development purposes, including how to access the Developer License and use the default free license that comes with Splunk Enterprise. This lecture helps you understand licensing limits and choose the right option before moving into installation and hands-on setup.

In this lecture, you will learn how Splunk Enterprise architecture is designed for small, medium, and large enterprise environments based on data volume and performance requirements. The session explains how components such as Universal Forwarders, Heavy Forwarders, Indexers, Search Heads, Deployment Server, and License Server work together in different deployment models.

You will understand how data flows through Splunk, when to use standalone instances versus clustered architectures, and how Splunk scales from a simple setup to a highly available enterprise deployment. This lecture helps you design the right Splunk architecture for real-world production environments.

In this lecture, you will learn how High Availability (HA) and Clustering work in Splunk Enterprise to ensure continuous data availability, fault tolerance, and disaster recovery. The session explains a multi-site Splunk architecture and how different components collaborate to keep the platform running even during node or site failures.

You will understand the roles of Search Head Clusters, Indexer Clusters, Heavy Forwarders, and Universal Forwarders, along with key concepts such as replication factor (RF), search factor (SF), and cross-site data replication. The lecture also covers how Deployment and License Servers centrally manage large-scale environments. This lesson helps you design resilient, scalable, and enterprise-ready Splunk deployments.

In this lecture, you will learn how to design a stable and high-performing Splunk environment by understanding its hardware requirements and capacity planning principles. The session covers key system requirements such as CPU cores, memory, disk IOPS, storage design, and operating system settings needed for reliable Splunk deployments.

You will also explore capacity planning concepts, including license sizing, architecture design, and hardware selection based on data volume and user activity. By the end of this lecture, you will be able to plan and size Splunk infrastructure effectively for small, medium, and large enterprise environments.

In this lecture, you will learn how to calculate and size a Splunk Enterprise license based on daily data ingestion and real-world log volumes. The session walks through a practical, step-by-step approach—estimating log sizes, determining the number of indexers and search heads, evaluating the need for heavy forwarders, and planning deployment and license management components.

You will also understand when to use clustering and high availability, and how to apply the Splunk Sizing Calculator to convert EPS to GB/day and estimate storage and hardware requirements. By the end of this lecture, you’ll be able to design a cost-effective, scalable, and production-ready Splunk deployment.

In this lecture, you will learn how Splunk Enterprise calculates license usage based on daily data ingestion. We will walk through a practical demo to understand how indexed data volume is measured and how license limits are applied in real-time environments.

You will also learn how to monitor license consumption, identify violations, and prevent unexpected license warnings. By the end of this session, you’ll be able to confidently manage and optimize Splunk licensing in real-world scenarios.

In this lecture, you will learn how to prepare your system and network for installing Splunk in real-world environments. The session walks through a practical, step-by-step approach—reviewing system requirements, configuring firewall ports for Splunk components, and validating communication between forwarders, indexers, and search heads.

You will also understand critical Linux performance prerequisites such as Transparent Huge Pages (THP), why it impacts Splunk performance, how to verify its status, and how to disable it correctly before installation. By the end of this lecture, you’ll be ready to install Splunk with confidence in a stable, optimized, and production-ready setup.

In this lecture, you will learn advanced system-level prerequisites required before installing Splunk in production environments. The session covers configuring or disabling SELinux to avoid permission-related issues and validating disk performance using tools like Bonnie++ to measure real-world IOPS under Splunk-like workloads.

You will also learn how to monitor live disk and CPU performance using iostat, interpret key metrics such as I/O wait and transactions per second, and verify whether your storage meets Splunk indexing requirements. In addition, this lecture explains how to configure system limits (ulimit) as per Splunk recommendations to ensure optimal stability and performance. By the end, you’ll have a fully validated, performance-ready system prepared for a successful Splunk installation and licensing setup.

In this lecture, you’ll explore the core directory structure of Splunk and understand how Splunk is organized across Linux and Windows systems. The session explains the concept of Splunk Home, its default installation paths, and how these paths are used consistently across different operating systems.

You’ll take a guided walkthrough of key directories such as bin (executables and scripts), etc (configuration files and apps), and var (logs and indexed data). You’ll also learn the purpose of critical subdirectories, including apps, deployment apps, cluster-related apps, system configurations, logs, and default data storage locations. By the end of this lecture, you’ll clearly understand where Splunk stores binaries, configurations, logs, and data—an essential foundation for daily Splunk administration and troubleshooting.

In this lecture, you’ll gain a clear understanding of how configuration precedence works in Splunk. We explain how Splunk reads and applies configuration files when the same settings exist in multiple locations, and why certain configurations override others during startup and runtime.

You’ll learn the complete hierarchy—from system local (highest precedence) to app local, app default, and system default—with a practical walkthrough inside the Splunk directory structure. Using real examples, the lecture demonstrates how Splunk resolves conflicts for settings such as ports and service behavior, and how default configurations ensure Splunk starts even without customization. By the end, you’ll understand exactly where to place configurations for effective control, troubleshooting, and enterprise-grade Splunk administration.

In this lecture, you’ll see how configuration precedence works in Splunk through a clear, hands-on example. The session begins with a quick recap of Splunk’s configuration hierarchy and then demonstrates how Splunk resolves conflicts when the same setting exists in multiple .conf files.

Using inputs.conf, you’ll walk through real modifications across system local, app local, app default, and system default directories. You’ll observe how Splunk merges configurations during startup, verify the effective settings after a restart, and clearly identify which configuration wins and why. By the end of this lecture, you’ll confidently know where to place custom configurations, how to validate precedence, and how to avoid common mistakes that can cause unexpected behavior in production Splunk environments.

In this lecture, you’ll learn how to test and verify configuration precedence in real time using Splunk internal logs. The session demonstrates a practical validation approach by analyzing events in the internal index to confirm which configuration is actively applied when the same setting exists across multiple hierarchy levels.

You’ll observe how Splunk behavior changes as configurations are removed step by step from system local, app local, and app default directories, and how Splunk automatically falls back to the next level in the hierarchy. The lecture concludes with clear best practices for troubleshooting precedence issues, understanding override behavior during startup, and safely managing configurations without modifying default files. By the end, you’ll have complete clarity on how Splunk selects final configurations and how to diagnose precedence-related issues with confidence in production environments.

In this lecture, you’ll learn how to perform a complete, step-by-step installation of Splunk Enterprise on Linux in a real-world environment. The session begins with a brief overview of Splunk Enterprise and then moves fully into hands-on execution using the Linux and AWS consoles.

You’ll walk through downloading the Splunk package, installing it using the RPM package manager, starting the Splunk service, and accessing Splunk Web for the first time. The lecture also demonstrates installing Splunk Enterprise across multiple machines to prepare different roles such as Search Head, Indexer, Heavy Forwarder, and Deployment Server (License Manager). By the end of this lecture, you’ll understand how to install Splunk consistently across environments and be ready to configure each instance for its specific enterprise role.

In this lecture, you’ll learn how to install and configure the Splunk Universal Forwarder on a Windows system and connect it to a Splunk Indexer. The session explains the role of the Universal Forwarder and why it is essential for collecting Windows event logs, security logs, and application data from endpoint systems.

You’ll walk through the complete Windows-based installation process, understand default installation paths, SSL certificate prompts, and key setup options such as data selection and Active Directory monitoring. The lecture also introduces how indexer and deployment server details can be configured during or after installation using multiple approaches. By the end, you’ll be ready to forward Windows data reliably from Universal Forwarders to your central Splunk environment for further analysis.

In this lecture, you’ll learn how to install and start a Splunk Search Head on a Linux server using Splunk Enterprise. The session walks through downloading the package, running Splunk as a non-root application user, starting the service for the first time, and accepting the license from the command line.

You’ll also understand the role of the Search Head as the primary interface for running SPL searches, creating dashboards, reports, and alerts. The lecture demonstrates first-time startup behavior, certificate generation, initial configuration setup, and accessing the Splunk Web login screen. By the end, you’ll have a fully running Splunk Search Head instance, ready for further configuration and integration with indexers and forwarders in an enterprise environment.

In this lecture, you’ll learn how to start and initialize Splunk Indexer instances using Splunk Enterprise on Linux. The session demonstrates bringing up an already installed Splunk instance as an indexer, running it under a non-root Splunk application user, and starting the service using CLI options to automatically accept the license.

You’ll walk through first-time startup behavior, setting the admin password, and accessing the Splunk Web interface to verify successful initialization. The lecture also reinforces how the same startup process applies to other Splunk components, such as Heavy Forwarders, ensuring consistency across your environment. By the end, you’ll have a running Splunk Indexer instance, ready for further configuration to receive, index, and store incoming data in an enterprise Splunk deployment.

In this lecture, you’ll learn how to bring up and configure Splunk Heavy Forwarders and Deployment Servers using Splunk Enterprise in a Linux environment. The session demonstrates starting the installed instances under a non-root Splunk application user, accepting the license via CLI, and verifying successful startup through Splunk Web.

You’ll also be introduced to post-installation configuration tasks commonly performed on these components, including understanding where Splunk configurations reside, safely editing configuration files under the local directory, and enabling Splunk Web over SSL by modifying web.conf. The lecture explains why default configurations should never be edited, how configuration stanzas work, and when a full Splunk restart is required for changes to take effect. By the end, you’ll have operational Heavy Forwarder and Deployment Server instances, ready for secure data forwarding, centralized app management, and enterprise-scale Splunk administration.

In this lecture, you’ll learn how to enable SSL (HTTPS) on Splunk Enterprise instances to secure communication between users and Splunk Web. The session demonstrates an alternate, CLI-based method of enabling SSL by safely editing configuration files rather than using the web interface.

You’ll walk through locating the correct configuration paths, creating and modifying the web.conf file under the system/local directory, and understanding Splunk configuration syntax, stanzas, and parameters. The lecture explains why default configuration files should never be edited, how to validate changes against default settings, and when a full Splunk restart is required. You’ll also see how Splunk uses self-signed certificates by default and how HTTPS access is verified after a restart. By the end, you’ll be able to confidently secure Splunk Web using SSL as part of enterprise-ready Splunk administration.

In this lecture, you’ll learn the fastest and simplest way to enable HTTPS on Splunk Enterprise using the Splunk Command Line Interface (CLI). Building on the previous methods—Splunk Web and configuration file edits—this session focuses on enabling SSL with a single CLI command.

You’ll see how to invoke the Splunk utility, run the enable web-ssl command, authenticate as the Splunk admin user, and restart the service for changes to take effect. The lecture concludes by verifying HTTPS access and summarizing all three supported methods for enabling SSL. By the end, you’ll know when and why to use the CLI approach for quick, reliable SSL enablement in enterprise Splunk environments.

In this lecture, you’ll gain a clear foundational understanding of how data is stored and managed in Splunk. The session explains the core concepts of index, indexes, indexer, and indexing, and how they work together inside a Splunk environment.

You’ll learn how raw data is broken into events, timestamped, processed, and stored in indexes, as well as the role of the indexer in receiving data from forwarders and serving search requests. The lecture also walks through default and custom indexes, the physical storage location of index data ($SPLUNK_HOME/var/lib/splunk), and how different indexes (Windows, Linux, audit, internal) are organized. By the end, you’ll understand how indexing works internally and why it’s critical for efficient storage management and fast search performance in Splunk.

In this lecture, you’ll learn how to configure a Splunk Indexer to receive incoming data from Universal Forwarders and Heavy Forwarders using Splunk Enterprise. The session explains the role of an indexer in the Splunk architecture and why enabling a receiver is the first and most critical step in indexer configuration.

You’ll walk through the process of enabling data receiving via the Splunk Web interface by configuring a listening port (such as the default 9997), verifying that the indexer is actively listening, and understanding how multiple ports can be used if needed. The lecture also highlights key considerations such as port conflicts and architectural best practices. By the end, you’ll have a functional indexer ready to accept data from forwarders in a real-world Splunk deployment.

In this lecture, you’ll learn how to enable data receiving on a Splunk Indexer using two advanced approaches in Splunk Enterprise—the Splunk CLI and direct configuration file edits. This builds on the earlier GUI-based method and helps you understand what happens behind the scenes.

You’ll see how to use the Splunk utility to enable a receiver on port 9997, verify that the indexer is listening for Splunk data, and confirm the change in Splunk Web. The lecture then demonstrates how to achieve the same result by editing the inputs.conf file under the system/local directory, adding the appropriate receiving stanza, and restarting Splunk. By the end, you’ll understand all three methods of enabling a receiver, know which configuration files are affected, and be confident choosing the right approach for different enterprise scenarios.

In this lecture, you’ll learn one of the most fundamental concepts of Splunk—the Default Index. The session explains what an index is, how Splunk stores ingested data, and what happens when no index is explicitly defined during data input.

You’ll understand why Splunk automatically sends data to the main index by default, how to identify default and internal indexes, and the purpose of indexes that start with an underscore. The lecture also introduces index design best practices, including creating custom indexes for operating systems, applications, or teams to enable data segregation and access control. By the end, you’ll clearly understand how the default index works and how thoughtful index planning supports scalable and secure Splunk environments.

In this lecture, you’ll learn how to create indexes on a Splunk Indexer using two commonly used methods in Splunk Enterprise—Splunk Web and the Splunk CLI. The session begins with creating an index through the Splunk Web interface, where you define the index name and basic storage limits while keeping advanced settings for later discussions.

You’ll then move to a command-line approach by creating indexes using the Splunk utility, understanding required permissions, authentication, and how to set index size directly from the CLI. The lecture also introduces the configuration-based method using indexes.conf, setting the stage for deeper discussions on index paths and storage management. By the end, you’ll be comfortable creating and managing indexes using both GUI and CLI approaches in real-world Splunk environments.

In this lecture, you’ll learn how to create and manage indexes by editing configuration files directly in Splunk Enterprise. Building on index creation via Splunk Web and CLI, this session focuses on the third and most powerful method—using the indexes.conf file.

You’ll understand where index configurations are stored, and why indexes.conf controls index creation, size, and storage paths, and how to safely add new indexes under the system/local directory. The lecture walks through copying a sample index stanza, defining home, cold, and thawed paths, setting size limits, and verifying index creation after a restart. You’ll also see where index data is physically stored on disk under Splunk’s default database location. By the end, you’ll be confident creating and validating indexes through configuration edits—an essential skill for enterprise and clustered Splunk environments.

In this lecture, you’ll learn how to configure a Splunk Enterprise instance as a Search Head using Splunk Web. The session explains the role of the Search Head and why it is the next key component to configure after indexers are ready to receive and store data.

You’ll walk through adding indexers as search peers via the Distributed Search settings, providing the indexer’s host or IP address, management port, and authentication details. The lecture also explains how Splunk establishes secure communication and validates successful connectivity. Finally, you’ll verify the setup by running searches in the Search & Reporting app and querying the _internal index to confirm data retrieval from connected indexers. By the end, you’ll have a fully functional Search Head configured through the Splunk Web interface and ready for enterprise searches and reporting.

In this lecture, you’ll learn how to configure a Splunk Search Head using the Splunk CLI, without relying on the web interface. Building on the previous lecture, where configuration was done via Splunk Web, this session demonstrates how the same setup can be achieved through command-line operations in Splunk Enterprise.

You’ll walk through adding an indexer as a search peer using the Splunk add search-server command, understand required authentication, and see how the Search Head establishes communication with the indexer over the management port. The lecture also shows how to verify the configuration by refreshing peer status and confirms that the Search Head is ready to retrieve data from connected indexers. By the end, you’ll be comfortable configuring distributed search using the CLI—an essential skill for automation and large-scale Splunk deployments.

In this lecture, you’ll learn how to configure a Splunk Heavy Forwarder to send data to an Indexer using both Splunk Web and the Splunk CLI in Splunk Enterprise. The session explains the role of a Heavy Forwarder and how it differs from other Splunk components in handling and routing data.

You’ll first see how to configure forwarding from the Heavy Forwarder using the Splunk CLI with the add forward-server command, specifying the indexer IP and receiving port (9997). The lecture then demonstrates how these changes are reflected in the Splunk Web interface, helping you understand the link between CLI actions and underlying configurations. By the end, you’ll be comfortable configuring Heavy Forwarders using both Web and CLI methods—an essential skill for managing data flow in enterprise Splunk architectures.

In this lecture, you’ll learn how to configure a Splunk Heavy Forwarder by editing configuration files directly, giving you full control over how data is forwarded in an enterprise Splunk environment. This method is essential for large deployments where centralized, repeatable configuration is required.

You’ll understand the role of outputs.conf, how it differs from inputs.conf, and how Splunk uses it to send data out of an instance. The lecture walks through creating TCP output stanzas, defining forwarding groups, adding one or more indexers, and configuring destination ports. You’ll also see how changes take effect after a restart and how the configuration appears in Splunk Web. By the end, you’ll be confident configuring Heavy Forwarders using configuration file edits—an essential skill for scalable and production-grade Splunk architectures.

In this lecture, you’ll learn how to configure a Deployment Server in Splunk Enterprise and understand its role in centrally managing apps and configurations across multiple Splunk instances. The session begins with a clear explanation of what a Deployment Server is and why it’s critical for large-scale and enterprise Splunk environments.

You’ll explore the Splunk Web interface to understand where Deployment Server–related features appear, including the Forwarder Management section, and why core Deployment Server functionality is not fully enabled through the Web UI alone. The lecture clarifies the limitations of Web-based configuration and sets the foundation for enabling Deployment Server functionality using the correct configuration approach. By the end, you’ll have a strong conceptual understanding of how Deployment Servers work and what is required to activate and manage them correctly in enterprise Splunk architectures.

In this lecture, you’ll learn how to configure a Splunk Deployment Server by editing configuration files directly, which is the only supported method to enable deployment server functionality in Splunk Enterprise. The session walks through converting a standard Splunk instance into a Deployment Server by creating the critical server class.conf file.

You’ll see where to place serverclass.conf under the system/local directory, understand the purpose of the global stanza, and learn how server classes act as logical groups for managing and deploying apps to clients. After restarting Splunk, you’ll observe how the Splunk Web interface changes to reflect Deployment Server capabilities, including server classes and deployment management views. By the end of this lecture, you’ll understand how Deployment Servers are enabled, why configuration edits are required, and how this setup forms the foundation for centrally managing forwarders and other Splunk instances in enterprise environments.

In this lecture, you’ll learn how to add and manage forwarder clients from a Deployment Server using the Splunk CLI in Splunk Enterprise. The session explains what a forwarder client name is, why Splunk assigns a default GUID, and why it’s a best practice to configure meaningful client names in real-world environments.

You’ll walk through connecting a Universal Forwarder to the Deployment Server using the set deploy-poll command, understand required prerequisites such as service status and port connectivity, and restart the forwarder to apply changes. By the end of this lecture, you’ll be able to onboard forwarders as deployment clients, identify them easily in the Deployment Server, and lay the groundwork for centralized app and configuration management across your Splunk environment.

In this lecture, you’ll learn how to configure a Splunk License Manager in Splunk Enterprise and upload licenses to your Splunk environment. The session demonstrates using an existing Splunk instance—such as a Deployment Server—to act as the central License Manager.

You’ll walk through obtaining a Splunk Enterprise Developer License, understand its limits and validity, and download it from the Splunk Developer Portal. The lecture then covers uploading the license through Splunk Web, installing it, restarting Splunk, and verifying license status. By the end, you’ll know how to set up and manage licenses correctly, ensuring your Splunk environment runs within compliance and is ready for development or enterprise use.

In this lecture, you’ll learn how license pools work in Splunk Enterprise and how to assign license usage to specific Splunk components. Building on the License Manager setup, the session explains how to logically divide a single license into multiple pools and allocate data ingestion limits to different groups of indexers or sites.

You’ll see how to create license pools, assign indexers to specific pools, and control daily ingestion limits for each group. The lecture also demonstrates configuring indexers to report to a central License Manager, restarting instances, and verifying license reporting and consumption. By the end, you’ll understand how to manage license usage centrally, track data consumption accurately, and ensure your Splunk environment stays compliant and scalable across multiple components.

In this lecture, you’ll learn how to upload data into Splunk after installation and core configuration. The session focuses on post-installation tasks commonly performed by Splunk administrators, using a hands-on approach in an AWS-based setup with Search Head, Indexer, and Universal Forwarder.

You’ll walk through uploading sample data using the Add Data option in Splunk Web, understand source type detection, host assignment, and index selection, and see how Splunk parses and indexes data instantly. The lecture also explains when manual uploads are appropriate (testing, troubleshooting, field extraction validation) and why Universal Forwarders are recommended for continuous, large-scale data ingestion. By the end, you’ll be able to upload test data confidently and analyze how Splunk breaks events, extracts fields, and prepares data for searching and reporting.

In this lecture, you’ll learn how to ingest data into Splunk using configuration file edits, which is the most common and scalable approach used in real-world environments. The session focuses on collecting logs through a Universal Forwarder by configuring the inputs.conf file to continuously monitor files and directories.

You’ll walk through editing inputs.conf to define monitored paths, restarting the Universal Forwarder, and verifying that data is successfully forwarded and indexed. The lecture also demonstrates how to validate incoming data from the Search Head, apply host filters, and confirm event flow over time. By the end, you’ll understand how configuration-based data onboarding works and why it’s preferred for continuous, production-grade log collection across enterprise systems.

In this lecture, you’ll learn how to add data inputs using the Splunk CLI, a fast and automation-friendly method in Splunk Enterprise. This approach is especially useful when working on servers where GUI access is limited or when scripting configurations.

You’ll walk through using the splunk add monitor command to configure Splunk to continuously monitor a directory for log files, understand why elevated permissions are required, and see how Splunk immediately begins indexing data from the specified path. The lecture also covers restarting Splunk to apply changes and verifying that data is successfully ingested. By the end, you’ll be comfortable adding data inputs through the CLI—an essential skill for managing Splunk in real-world and automated environments.

In this lecture, you’ll learn how to validate data successfully onboarded into Splunk after ingestion. The session reviews the different methods used to bring data into Splunk—manual upload via Splunk Web, continuous collection using Universal Forwarders (via configuration files and CLI), and an overview of deployment server–based data collection.

You’ll then focus on verifying ingested data using basic search techniques, applying filters such as index, host, and sourcetype to confirm data visibility. The lecture also explains how to evaluate event parsing and field extraction to ensure logs are structured correctly for analysis. By the end, you’ll be able to confidently validate data ingestion, identify parsing issues, and confirm that your Splunk environment is ready for accurate searching, reporting, and analytics.

In this lecture, you’ll learn how to enrich and normalize data in Splunk by properly configuring source, sourcetype, and host—three critical metadata fields that drive effective searching and analysis. The session explains why meaningful values are essential and how poorly named defaults can limit visibility and usability.

You’ll see how sourcetype represents the technology or application generating logs, how it’s used extensively as a search filter, and when to define or rename it during data onboarding or at index time. The lecture then demonstrates editing inputs.conf on a Universal Forwarder to set custom host, sourcetype, and source values, restarting the forwarder, and validating changes by generating new events and searching in Splunk. By the end, you’ll be able to standardize metadata for cleaner searches, better filtering, and more meaningful analytics across your Splunk environment.

In this lecture, you’ll gain a clear understanding of the source field in Splunk and how it differs from sourcetype. The session explains how the source parameter traditionally represents the file path or location of logs, and why relying only on raw paths is often not meaningful for analysis.

You’ll learn how the source field can be repurposed to describe how data is collected—such as via scripts, APIs, performance monitoring, or specific log categories—making searches more intuitive and efficient. Using real examples from Windows logs collected through a Universal Forwarder, the lecture shows how meaningful source values improve visibility and context. It also introduces how the source parameter can be customized through inputs.conf during data onboarding. By the end, you’ll know how to use the source field effectively to enrich data and simplify Splunk searches.

In this lecture, you’ll learn how to extract custom fields in Splunk using the Interactive Field Extractor (IFX). The session explains why field extraction is essential for converting raw log data into searchable, meaningful fields and how IFX provides a simple, UI-based way to do this without writing regular expressions.

You’ll explore how to access IFX from the Search & Reporting app, select the correct sourcetype, and create field extractions using delimiters on structured logs such as access logs. The lecture also covers naming fields, testing extractions, and controlling field visibility (user, app, or global). By the end, you’ll be able to quickly create and validate custom fields using IFX—an ideal starting point before moving on to regex-based extraction methods.

In this lecture, you’ll learn how to extract fields using the REX command in Splunk, a powerful search-time method based on regular expressions. Building on the IFX approach, this session shows how REX allows you to dynamically create fields directly within search queries—without making permanent configuration changes.

You’ll work through a practical example using access logs to extract values such as IP addresses, understand basic regex concepts, and test patterns using tools like regex testing websites. The lecture also explains when REX-based fields are temporary, how they can be refined during analysis, and how they later translate into permanent extractions using props.conf and transforms.conf. By the end, you’ll be comfortable using REX for flexible, on-the-fly field extraction in Splunk searches.

In this lecture, you’ll learn how to add custom field extractions directly into a Splunk search using the REX command in Splunk. The session explains the full regex-based field definition—beginning condition, named capture group, matching pattern, and ending condition—and how these work together to extract fields like IP addresses from raw logs.

You’ll walk through building a complete regex, applying it with rex in a search, validating extracted fields, and using them in downstream commands such as stats and geolocation analysis. By the end, you’ll be able to create powerful, search-time fields and immediately use them for aggregations, visualizations, and deeper insights—turning raw data into actionable intelligence.

In this lecture, you’ll learn how to search data using regular expressions in Splunk to precisely filter events. Building on REX-based field extraction, this session focuses on using regex patterns directly in searches to match specific strings and behaviors within logs.

You’ll work through practical examples—such as matching actions like add to cart—using regex constructs to capture partial or variable text patterns. The lecture demonstrates how regex-based searching helps identify relevant events even when exact field values aren’t available. By the end, you’ll be able to use regex searches confidently to narrow down large datasets and find meaningful events quickly in Splunk.

In this lecture, you’ll learn how to make field extractions permanent in Splunk using the props.conf EXTRACT method. Building on IFX and REX-based extractions, this session focuses on creating reusable fields that are available to all users for searches, dashboards, and visualizations.

You’ll walk through editing props.conf under the system/local directory, defining the correct sourcetype, and applying a regex-based EXTRACT stanza to permanently capture fields such as IP addresses. The lecture also covers how to apply changes using a reload or restart and how to verify that extracted fields appear automatically in searches. By the end, you’ll understand how to transition from ad-hoc field extraction to production-ready, shared knowledge objects in Splunk.

In this lecture, you’ll learn how to create permanent field extractions using Reports and Transforms in Splunk through the Splunk Web interface. The session demonstrates using the Field Extractions workflow to define regex-based extractions without manually editing configuration files.

You’ll see how Splunk internally maps these UI-driven actions to props.conf and transforms.conf, achieving the same result as manual configuration but in a more guided way. By the end, you’ll understand how to use the Web GUI to create reusable, production-ready field extractions that are available across searches, reports, and dashboards.

In this lecture, you’ll learn where and how to place props.conf (and related transforms.conf) files in Splunk for effective field extraction deployment. The session explains why configuration location matters and how improper placement can affect visibility and behavior.

You’ll understand the difference between system/local and app/local directories, when to use each, and how these locations control scope and precedence. The lecture also clarifies object sharing—how extractions are private by default and how they can be made available to all users. By the end, you’ll know where to deploy props.conf so field extractions work reliably today and scale cleanly with Deployment Server–based management later.

In this lecture, you’ll learn how to create and manage Event types in Splunk, a powerful way to categorize and standardize events using saved search expressions. The session explains what event types are, why they are essential for clean dashboards, alerts, CIM onboarding, and tagging, and where they are stored in the Splunk file system.

You’ll walk through creating an event type from a search, using it to retrieve results with a simple event type= filter, and exploring default and custom event types in Splunk settings. The lecture also covers permissions and sharing, showing how to control visibility (private vs global), assign read or write access, and manage event types across apps and user roles. By the end, you’ll be able to build reusable, well-governed event types that improve consistency and collaboration in enterprise Splunk environments.

In this lecture, you’ll explore a practical use case of Event types in Splunk by categorizing HTTP access logs based on response status codes. The session demonstrates how to create an event type for non-successful HTTP responses, such as status!=200, to quickly identify error or exception scenarios.

You’ll see how saving this condition as an event type allows you to retrieve matching events instantly without rewriting the full search query. The lecture also shows how multiple event types can appear in results, helping you analyze patterns and trends more efficiently. By the end, you’ll understand how event types simplify recurring searches, improve readability, and support real-world monitoring and troubleshooting use cases in Splunk.

In this lecture, you’ll learn how to create and use Tags in Splunk to enrich and normalize your data. The session explains what tags are, why they’re critical for CIM, SIEM, dashboards, and correlation searches, and how they simplify complex SPL queries.

You’ll explore what can be tagged in Splunk—field values, event types, hosts, and source types—and then walk through a hands-on lab to create tags using previously defined event types. The lecture demonstrates assigning multiple meaningful tags, organizing logs by behavior (success, error, application type), and understanding how tags add business and operational context. By the end, you’ll be able to use tags effectively to improve searchability, standardization, and analytics across your Splunk environment.

In this lecture, you’ll learn how to manually create tags in Splunk without relying on eventtypes. Building on the previous tagging approach, this session shows how tags can be defined directly using field–value pairs.

You’ll walk through creating tags from the Tags settings, assigning them based on conditions such as sourcetype and source, and validating them through searches. The lecture also demonstrates how manually created tags appear in selected fields and how they can be used to filter results quickly. By the end, you’ll understand how to create flexible, rule-based tags that add meaningful context and improve search efficiency across your Splunk environment.

In this lecture, you’ll learn how to create, manage, and use lookups in Splunk to enrich event data with external context. The session explains lookup concepts, lookup definitions, and the difference between static CSV-based lookups and dynamic enrichment.

You’ll walk through uploading a CSV lookup file, setting permissions, and mapping fields to enrich events using the lookup command. The lecture demonstrates adding new attributes (like product name, price, and codes) to existing logs and using them in searches and analytics (e.g., top product_name). By the end, you’ll be able to enhance raw events with business context and unlock deeper insights using lookups in Splunk.

In this lecture, you’ll learn how to create, use, and manage search macros in Splunk to simplify complex and repetitive SPL queries. The session explains what macros are, why they are used, and how they help standardize searches across dashboards, reports, and alerts.

You’ll walk through creating a macro from an existing search using the Splunk Web interface, setting permissions to share it with other users, and invoking the macro in searches using backticks. The lecture also shows where macros are stored (macros.conf) and how they work behind the scenes. By the end, you’ll be able to build reusable, maintainable search logic that improves efficiency and consistency in real-world Splunk environments.

In this lecture, you’ll learn how to search data effectively in Splunk and understand how different search modes impact speed and results. The session covers basic and targeted searches using indexes, hosts, and fields, along with practical filtering using wildcards, logical operators (AND, OR, NOT), comparisons, and exclusions.

You’ll also see faster ways to refine searches by clicking field values, validating onboarded data, and choosing the right approach for investigations, dashboards, and reporting. By the end, you’ll be confident in building precise searches and navigating Splunk’s search modes to retrieve insights efficiently.

In this lecture, you’ll learn how to create and manage alerts in Splunk for real-time monitoring and proactive response. The session walks through building an alert from a search query, choosing between scheduled and real-time alerts, and defining trigger conditions based on returned results.

You’ll explore alert actions such as email notifications and automated responses, apply throttling to avoid alert fatigue, and configure permissions for private or shared visibility. Using a practical example (HTTP 4xx/5xx errors), the lecture also demonstrates enriching alerts with lookups and summarizing results with stats. By the end, you’ll be able to design effective alerts that notify the right teams at the right time.

In this lecture, you’ll learn how to define alert conditions and manage alert sharing in Splunk. The session walks through building alert logic using search results (such as product-based statistics), setting trigger conditions, and deciding when an alert should fire.

You’ll explore alert scheduling, throttling to suppress duplicate alerts, and alert actions like logging events, running scripts, and sending email notifications. The lecture also covers permissions and sharing, showing how to make alerts private, app-specific, or global, and how to control read/edit access for different roles. By the end, you’ll be able to create actionable alerts that notify the right users while avoiding alert fatigue.

In this lecture, you’ll learn how to edit, manage, and extend alerts in Splunk after they’ve been created. The session shows where alerts are located, how to open and review the underlying search query, and how to enable, disable, or reschedule alerts based on priority and use case.

You’ll also explore alert actions—adding multiple actions to a single alert such as sending emails, logging triggered events, or running scripts. The lecture covers changing alert frequency (real-time vs scheduled), setting priorities, and invoking scripts stored in the appropriate Splunk directories. By the end, you’ll be able to fine-tune alerts to match operational needs and automate responses effectively.

In this lecture, you’ll learn how to create, schedule, and share reports in Splunk using saved searches. The session covers building the right search query, saving it as a report, and scheduling execution with Cron so insights are generated automatically.

You’ll explore report actions (email delivery, exports, webhooks), report acceleration for faster performance on large datasets, and options to embed reports in external apps. The lecture also explains permissions (private, app-level, global) and emailing reports as PDFs for stakeholders. A practical example shows creating a monthly report (e.g., top client IPs with geo-enrichment) to deliver actionable insights on a schedule.

In this lecture, you’ll learn how to schedule reports and enable report acceleration in Splunk for timely delivery and faster performance. The session walks through saving a finalized search as a report, setting titles and descriptions, choosing time ranges, and scheduling execution (e.g., monthly on a specific day and time) with priorities and run windows.

You’ll also configure report actions such as emailing results (PDF or inline), understand why scheduled reports don’t show results until they run, and manage permissions. Finally, the lecture explains report acceleration—how Splunk pre-computes summaries over a defined range (e.g., last 3 months) to significantly speed up report loading and analysis.

In this lecture, you’ll learn how to embed Splunk reports into external applications using Splunk. The session explains the prerequisites of scheduling a report and shows how to adjust the schedule (e.g., every 2 minutes) for testing embedded outputs.

You’ll walk through enabling embedding, copying the URL or iframe code, and validating the embed using a test environment. The lecture demonstrates how the same report output rendered in Splunk can be displayed seamlessly in websites or third-party apps using an iframe—making Splunk insights accessible beyond the Splunk UI.

In this lecture, you’ll learn how to design, build, and manage dashboards in Splunk to visualize and monitor data effectively. The session starts with creating meaningful search queries and converting them into dashboard panels using charts, tables, and visualizations such as bar charts, line charts, and pie charts.

You’ll explore multiple ways to add panels—directly from search results or through dashboard edit mode—along with adjusting layouts and visual settings. The lecture also covers viewing and editing dashboard source (XML/JSON), scheduling dashboard refreshes, exporting dashboards (PDF), and managing permissions for private, app-level, or global sharing. A hands-on demo walks through building a real dashboard use case (e.g., top visitors by country using IP location) to turn raw data into actionable insights.

In this lecture, you’ll learn how to add multiple panels to an existing dashboard in Splunk and reuse visualizations efficiently. The session demonstrates creating different visualizations—such as column charts, bar charts, and pie charts—from search results and saving them directly to an existing dashboard.

You’ll also see how panels can be added from saved searches or reports, allowing you to build dashboards faster without rewriting queries. By the end of this lecture, you’ll be able to enhance dashboards with multiple visual panels, refresh and organize them effectively, and create richer, more insightful Splunk dashboards.

In this lecture, you’ll learn how to create a complete dashboard from scratch in Splunk. The session walks you through building a dashboard with multiple panels, using different visualization types such as time charts, tables, pie charts, bar charts, and single-value metrics.

You’ll understand two practical ways to add panels—directly from the Search bar and through the Dashboard Edit mode—so you can choose the most efficient workflow. The lecture also explains how to view and understand the dashboard source (XML/JSON) for advanced customization, how to schedule dashboards for automated PDF delivery, export dashboards, and share them securely using Splunk permissions.

In this lecture, you’ll learn how to configure dashboard drilldowns in Splunk to make dashboards interactive and user-driven. The session explains the prerequisites for enabling drilldowns and demonstrates how to capture user interactions from charts and tables.

You’ll walk through configuring drilldown actions, passing values using tokens, and redirecting users to detailed searches or other dashboards. By the end of this lecture, you’ll understand how drilldowns allow users to seamlessly navigate from high-level visualizations to deeper insights—turning static dashboards into powerful investigative tools.

In this lecture, you’ll learn how to customize Splunk dashboards by directly editing their underlying SimpleXML. Starting from an existing dashboard, the session explains the full XML structure—covering the <dashboard> root element, layout control using <row> and <panel> tags, and how visualizations are defined within panels.

You’ll see how to duplicate and modify rows, add and arrange multiple panels, and use tokens to make dashboards dynamic and interactive through user inputs. The lecture also demonstrates how option elements fine-tune chart behavior and appearance, how global dashboard settings like theme and auto-refresh are configured, and how custom JavaScript and CSS can be included for advanced styling and interactivity.

In this lecture, you’ll explore the different built-in visualization types available in Splunk and understand when and why to use each one. The session begins by showing how to access the Visualization tab after running a search, giving you a clear view of the visualization options Splunk provides.

You’ll then walk through common visualization types such as bar and column charts for comparisons, line charts for trends over time, pie charts for distribution and contribution, and bubble and range charts for analyzing multiple variables and variations. The lecture also covers meter and single-value visualizations, explaining how they are used to highlight performance, status, and key metrics at a glance.

In this lecture, you’ll learn how to build interactive and user-driven dashboards in Splunk using dashboard filters and tokens. The session explains what dashboard filters are and how input elements like time pickers, dropdowns, text boxes, and checkboxes allow users to control the data they see without editing searches.

You’ll walk through adding filters using both the dashboard Edit UI and XML source editing, understanding when each approach is most effective. The lecture clearly explains how tokens work, how filter values are stored, and how those tokens are passed into search queries, panel titles, and drilldowns to make dashboards dynamic.

In this lecture, you’ll learn how to schedule and export Splunk dashboards to automate reporting and ensure the timely delivery of insights. You’ll walk through scheduling a dashboard for PDF email delivery, selecting recipients, defining schedules and time ranges, and customizing email subjects and messages so stakeholders receive up-to-date reports automatically.

The lecture also explains how to share dashboards securely using permissions and role-based access, highlighting the differences between Private, App, and Global sharing. In addition, you’ll learn how to embed dashboards into external applications using iframe code, allowing Splunk insights to be viewed outside the Splunk interface while following security best practices.

In this lecture, you’ll learn what Splunk apps are and how they extend Splunk with dashboards, inputs, alerts, and configurations. The session explains the role of Splunkbase and why app compatibility with your Splunk version is important. You’ll also understand how apps help integrate Splunk with platforms like servers, cloud services, and security tools.

The lecture then walks through installing Splunk apps using multiple methods. You’ll see how to install apps via the Splunk Web interface, the Splunk CLI, and by manually copying files into the apps directory. The session demonstrates downloading apps from Splunkbase and handling required restarts and permissions. Finally, you’ll learn common troubleshooting steps to resolve app visibility, compatibility, and dependency issues.

In this lecture, you’ll learn what Splunk add-ons are and why they are essential for data collection and normalization.
The session explains how add-ons provide inputs, field extractions, and CIM-aligned data without dashboards.
You’ll also understand the importance of Splunkbase access and version compatibility before installation.

The lecture then walks through installing Splunk add-ons using multiple methods. You’ll see how to download add-ons from Splunkbase and install them via Splunk Web, the Splunk CLI, and manual file copy. The session demonstrates post-installation configuration, data verification, and permission handling. Finally, you’ll learn troubleshooting steps, log checks, and clean uninstall practices for managing add-ons in production environments.

In this lecture, you’ll learn how to manage Splunk apps and add-ons by safely disabling or completely removing them from your environment. The session explains the difference between disabling an app (keeping it installed but inactive) and deleting an app (removing it entirely), helping you understand the impact of each action.

The lecture then walks through three practical methods for disabling or deleting apps: using the Splunk Web interface, executing commands via the Splunk CLI, and working directly with the backend file system. You’ll learn when to use each method, along with important precautions, permissions, and restart requirements. By the end of this lesson, you’ll be able to confidently manage Splunk apps in both lab and production environments while minimizing risk and ensuring system stability.

In this lecture, you’ll learn how to create your own Splunk app from scratch and understand how apps are structured.
The session explains what a Splunk app contains, including configuration files, dashboards, scripts, and static resources. You’ll also understand how apps extend Splunk functionality and support custom use cases.

The lecture then walks through creating a demo app using Splunk Web and exploring the app directory structure.
You’ll see how folders like default, local, metadata, and static are used, along with key configuration files such as app.conf, inputs.conf, and props.conf. The session demonstrates where dashboards are stored and how they are created using XML or Dashboard Studio. Finally, you’ll learn how to deploy your custom app in standalone Splunk, via the Deployment Server, or in Splunk Cloud environments.

In this lecture, you’ll learn how to customize the Splunk login page by replacing the default Splunk logo with your own. The session explains where Splunk stores login assets and why logo customization is useful for branding and enterprise deployments. You’ll also understand the difference between changing the login background and updating the login logo.

The lecture then walks through modifying the web.conf file using the Splunk CLI. You’ll see how to place custom logo images in the correct static directory and reference them in the configuration. The session demonstrates restarting Splunk to apply changes and validating the updated login page. Finally, you’ll learn how this approach can be used to apply company branding consistently across Splunk environments.

In this lecture, you’ll learn how to effectively manage Splunk forwarders that form the backbone of data collection in large environments. The session introduces agent management and explains the role of Universal Forwarders and Heavy Forwarders. You’ll also understand why centralized management is critical to prevent data loss, misconfigurations, and operational inefficiencies.

The lecture then focuses on managing forwarders using the Deployment Server and Monitoring Console. You’ll learn how forwarders are centrally controlled and how to monitor their health and connectivity. The session explains the “phoning home” mechanism and how it keeps configurations in sync. Finally, you’ll explore server classes, targeted app deployments, and best practices for scalable agent management.

In this lecture, you’ll learn how to create and use the serverclass.conf file to control how configurations and apps are deployed to Splunk forwarders. The session introduces the role of serverclass.conf in the Deployment Server and explains how server classes define which forwarders receive specific configurations or apps. You’ll also understand why proper server class design is critical for organized, scalable, and error-free forwarder management.

The lecture then focuses on the structure of the serverclass.conf file, including defining server classes, specifying whitelist and blacklist rules, and mapping apps to target forwarders. You’ll learn how forwarders match server classes during the phoning home process and how configurations are applied automatically. Finally, the session covers best practices for naming, grouping, and maintaining server classes to ensure clean deployments and efficient forwarder management in enterprise Splunk environments.

In this lecture, you’ll learn how to configure the serverclass.conf file for centralized management using the Splunk Deployment Server. The session explains how server classes are created to group systems and define deployment targets. You’ll also understand how hostnames, IP addresses, or FQDNs are used to identify deployment clients.

The lecture then walks through configuring deployment clients using the Splunk CLI. You’ll see how indexers and universal forwarders are registered to the Deployment Server using the deploy-poll command. The session explains how clients start reporting back and appear in the Forwarder Management view. Finally, you’ll understand how server classes and deployment clients work together for controlled and scalable deployments.

In this lecture, you’ll learn how applications are managed and deployed using the Splunk Deployment Server. The session explains how deployment clients, such as indexers and universal forwarders, communicate with the Deployment Server and why apps must be placed in the deployment-apps directory for centralized distribution. You’ll also understand how this setup prepares the environment for controlled and scalable application deployments.

The lecture then walks through copying an application into the Deployment Server, reloading the server, and verifying client communication. You’ll see how deployed apps are enabled or disabled, how restart options affect configuration changes, and how apps are assigned to specific server classes. Finally, you’ll understand how applications are targeted to selected clients to ensure accurate and efficient deployments.

In this lecture, you’ll learn how to deploy applications to Splunk clients using the Deployment Server. The session explains how server classes are created to group target systems and how applications are associated with those server classes. You’ll also understand how whitelisting and filtering based on hostname, IP address, DNS, or operating system determine which clients receive a specific app.

The lecture then walks through assigning an app to a server class, selecting and previewing matching clients, and saving the configuration to trigger deployment. You’ll see how the Deployment Server copies the app to connected clients, how deployments appear in the Forwarder Management console, and where deployed apps are stored on both the Deployment Server and client systems. Finally, the session highlights important considerations such as app enablement, restart requirements, and validation steps to confirm successful deployment in a controlled, scalable Splunk environment.

In this lecture, you’ll learn how server groups are created and managed using serverclass.conf on the Splunk Deployment Server. The session explains how server classes help group deployment clients and defines where configurations should be applied. You’ll also understand how whitelisting and blacklisting using IP addresses, hostnames, domain names, and OS types enable precise targeting of systems.

The lecture then walks through creating server classes using Splunk Web via the Agent Management interface. You’ll see how to add clients, apply wildcard-based whitelists and blacklists, filter systems by subnet or operating system, and preview matched clients before deployment. Finally, you’ll learn how these server groups are used to deploy specific configurations in a controlled and scalable manner across your Splunk environment.

In this lecture, you’ll learn what base configurations are and why they are essential in large Splunk environments.
The session explains how common configuration files like inputs.conf and outputs.conf control data collection and forwarding. You’ll also understand how base configurations help standardize settings and reduce configuration drift across forwarders.

The lecture then walks through creating a base configuration as a Splunk app on the Deployment Server. You’ll see how to create server classes for universal forwarders and build the required app directory structure. The session demonstrates configuring files such as outputs.conf with indexer details and SSL settings. Finally, you’ll learn how these base configurations are deployed centrally to ensure consistent behavior across all forwarders.

In this lecture, you’ll learn how applications are deployed to Universal Forwarders using the Splunk Deployment Server. The session explains how a base configuration app containing files like outputs.conf is prepared for deployment. You’ll also understand how this setup enables Universal Forwarders to automatically receive centralized configurations.

The lecture then walks through assigning the base configuration app to a Universal Forwarder server class and saving the deployment. You’ll see how the app is downloaded to the Universal Forwarder under the etc/apps directory. The session demonstrates verifying the deployed configuration and confirming log flow from the Universal Forwarder to the indexer. Finally, you’ll understand how the Deployment Server enables full control over forwarder configurations, apps, and secure data flow across the environment.

In this lecture, you’ll learn how configuration updates and deployments work in Splunk environments. The session explains how Splunk configurations are managed through apps and configuration files such as outputs.conf. You’ll also understand why updating configurations centrally is critical for administrators in enterprise and distributed setups.

The lecture then walks through modifying an existing configuration file within a base configuration app. You’ll see how changes are saved and applied by reloading the Deployment Server using the Splunk CLI. The session demonstrates how updated configurations are automatically pushed to Universal Forwarders. Finally, you’ll verify that the changes are reflected on the client side, completing the configuration update and deployment workflow.

In this lecture, you’ll learn what it means to forward data out of Splunk and why it is used in real-world environments.
The session explains how data that is already indexed in Splunk can be sent to external systems for further processing. You’ll also understand the different types of data that can be forwarded, including raw events, parsed events, search results, and selected fields.

The lecture then walks through configuring data forwarding from a Splunk instance, such as a search head or indexer. You’ll see how to use the Forwarding and Receiving settings to define destination IP addresses and ports. The session demonstrates how data can be sent to external systems like syslog servers or third-party platforms.
Finally, you’ll learn how props and transforms can be used to selectively route and control which data is forwarded out of Splunk.

In this lecture, you’ll learn how user management works in Splunk and why it is critical in multi-user and enterprise environments. The session explains how Splunk controls access using users, roles, and capabilities to protect data and configurations. You’ll also understand how proper user management helps maintain security, accountability, and operational control.

The lecture then walks through creating and managing users from the Splunk Web interface. You’ll see how roles are assigned to users and how permissions are inherited through roles. The session explains common roles such as admin, power, and user, along with their capabilities. Finally, you’ll learn best practices for managing users and roles to ensure secure and efficient access across your Splunk environment.

In this lecture, you’ll learn how roles are created and managed in Splunk as part of user and authentication management. The session explains why roles are essential for controlling user permissions, enforcing least-privilege access, and securing Splunk environments. You’ll also understand how roles define what users can see and do within Splunk.

The lecture then walks through creating a custom role from the Splunk Web interface. You’ll see how to configure role inheritance, assign capabilities, define index access, and control app visibility. The session demonstrates best practices for naming roles and limiting permissions based on real-world use cases. Finally, you’ll learn how to assign roles to users to ensure secure and well-governed access across your Splunk environment.

In this lecture, you’ll learn how to create and manage users in Splunk after defining roles and permissions. The session explains how user accounts control access to Splunk and how roles determine what users can view and perform. You’ll also understand why assigning the correct role during user creation is essential for secure access control.

The lecture then walks through creating a new user from the Splunk Web interface. You’ll see how to enter user details, set login credentials, and assign the appropriate role. The session demonstrates saving the user and validating access by logging in with the new credentials. Finally, you’ll understand how user creation completes the access control workflow by enforcing role-based permissions in Splunk.

In this lecture, you’ll learn what clustering is in Splunk and why it is a critical concept in enterprise environments.
The session explains how clustering helps achieve high availability, scalability, fault tolerance, and data reliability.
You’ll also understand how clustering ensures continuous operations even when individual Splunk components fail.

The lecture then introduces the main types of clustering used in Splunk. You’ll learn how indexer clustering protects data through replication and improves performance at scale. The session explains how search head clustering ensures uninterrupted access to searches, dashboards, and alerts. Finally, you’ll be introduced to heavy forwarder clustering and its role in reliable, high-availability data ingestion.

In this lecture, you’ll learn the fundamentals of Indexer Clustering in Splunk Enterprise and why it is essential for enterprise-scale deployments. The session explains how indexer clustering enables data replication, high availability, and fault tolerance. You’ll also understand the role of the Cluster Manager and indexer peers in maintaining data reliability.

The lecture then introduces single-site and multi-site indexer clustering architectures. You’ll learn key concepts such as replication factor, search factor, and how they affect data availability and search performance. The session explains site-level concepts like site replication factor and site search factor for multi-data-center setups. Finally, you’ll gain clarity on how these concepts are applied during real-world indexer clustering configurations.

In this lecture, you’ll perform a hands-on lab to configure Indexer Clustering in Splunk Enterprise. The session explains how replication factor, search factor, and site-based factors control data availability and search reliability. You’ll also understand the difference between single-site and multi-site clustering through practical examples.

The lecture then walks through configuring the Cluster Manager and indexer peers using real Splunk CLI commands.
You’ll see how to set up single-site clustering and extend it to multi-site clustering with site replication and search factors. The session demonstrates verifying cluster health and status using built-in Splunk commands. Finally, you’ll gain confidence in building and validating a production-ready indexer cluster step by step.

In this lecture, you’ll learn the fundamentals of Search Head Clustering in Splunk through a real-world, hands-on lab.
The session explains why Search Head Clustering is essential for high availability, scalability, and uninterrupted user access. You’ll also understand the core architecture, including search heads, the deployer, and their interaction with the indexer cluster.

The lecture then walks through configuring Search Head Clustering step by step using practical CLI commands.
You’ll see how to set up the deployer, initialize the cluster, join multiple search heads, and verify captain election.
The session demonstrates connecting the search head cluster to the indexer cluster and deploying apps using the deployer. Finally, you’ll learn common mistakes, troubleshooting techniques, and best practices for building a stable production-ready Search Head Cluster.

In this lecture, you’ll learn how Heavy Forwarder Clustering is implemented in Splunk using operating system–level high availability. The session explains why Splunk does not provide native clustering for heavy forwarders and when this setup is required. You’ll also understand real-world use cases where uninterrupted data ingestion is critical, such as security, compliance, and audit logging.

The lecture then walks through a hands-on active–passive lab setup using two heavy forwarders. You’ll see how Syslog-NG is configured for syslog collection and how a shared Virtual IP enables seamless failover. The session demonstrates configuring Splunk inputs, OS-level services, and validating automatic failover. Finally, you’ll understand the end-to-end data flow and best practices for designing reliable heavy forwarder high-availability architectures.

In this lecture, you’ll learn how to bind Splunk Enterprise to a specific IP address for better security and network control. The session explains why limiting Splunk to approved interfaces is important in multi-homed systems.
You’ll also understand how binding improves access control, performance, and compliance in enterprise environments.

The lecture then walks through identifying available network interfaces and selecting the correct IP. You’ll see how to configure IP binding using the splunk-launch.conf file via the Splunk CLI. The session demonstrates restarting Splunk and verifying that it listens only on the specified interface. Finally, you’ll learn how the same approach applies across Splunk components, including forwarders, to control data ingestion paths.

In this lecture, you’ll learn how Splunk process names work and why changing them is often misunderstood.
The session explains common Splunk processes, such as splunkd, splunkweb, and how tightly they are integrated with Splunk’s internal operations. You’ll also understand the security and hardening concerns that usually lead administrators to ask about changing process names.

The lecture then walks through examining process-related settings using the splunk-launch.conf file. You’ll see why Splunk’s core executable names cannot be truly changed without impacting functionality. The session demonstrates safe configuration changes, proper shutdown and restart procedures, and how Splunk handles utility names internally. Finally, you’ll gain clarity on best practices for process visibility, security hardening, and what is and isn’t supported in Splunk environments.

In this lecture, you’ll learn how to disable the Splunk Web component to reduce resource usage and harden non-UI Splunk instances. The session explains when and why Splunk Web should be disabled, especially on indexers and heavy forwarders. You’ll also understand how disabling the web interface affects ports, services, and access methods.

The lecture then walks through disabling and enabling Splunk Web using multiple methods. You’ll see how to manage Splunk Web from the Web Console, edit the web.conf file via the Linux CLI, and use Splunk CLI commands.
The session demonstrates restarting Splunk and verifying service behavior through port checks and browser access.
Finally, you’ll learn best practices for safely managing Splunk Web components to improve performance and security.

In this lecture, you’ll learn how to perform selective restarting in Splunk using the Splunk CLI. The session explains why restarting only specific Splunk components is critical in production environments. You’ll also understand how selective restarts help minimize downtime and avoid disrupting active searches and dashboards.

The lecture then walks through commonly used Splunk CLI commands for service management. You’ll see how to check service status and selectively restart components like Splunkweb or splunkd. The session demonstrates when to restart only the web interface versus the full Splunk service. Finally, you’ll learn best practices for applying selective restarts during UI changes, configuration updates, and routine administration tasks.

In this lecture, you’ll learn how the add, enable, and disable commands work in the Splunk CLI and why they are essential for daily administration. The session explains how these commands are used to manage inputs, listeners, forward servers, and system features. You’ll also understand how these commands simplify configuration without manually editing files.

The lecture then walks through the practical usage of the Splunk add command and how to explore its syntax using built-in help. You’ll see how enable is used to activate inputs, monitoring features, and maintenance mode during upgrades or migrations. The session explains when and why to use disable to safely stop specific features or services. Finally, you’ll gain clarity on how these commands are used together for efficient, controlled Splunk environment management.

In this lecture, you’ll learn how to use the show commands in the Splunk CLI to retrieve runtime and configuration details. The session explains how show commands help administrators quickly inspect ports, services, and system status. You’ll also understand why these commands are essential for day-to-day monitoring and troubleshooting.

The lecture then walks through common show command examples, such as checking web and management ports.
You’ll see how to explore available options using the built-in CLI help. The session highlights critical clustering-related commands like cluster status and cluster bundle status. Finally, you’ll learn how show commands provide quick operational visibility without accessing the Splunk Web interface.

In this lecture, you’ll learn how to use the Btool command, one of the most powerful and essential tools in the Splunk CLI. The session explains how Btool helps validate configuration syntax and identify errors before restarting Splunk.
You’ll also understand why btool is critical for troubleshooting complex configuration issues in enterprise environments.

The lecture then walks through practical Btool usage with real examples. You’ll see how to detect syntax errors in configuration files like inputs.conf and pinpoint the exact file and line number. The session demonstrates how to locate configurations such as props, transforms, and inputs across system and app layers using debug mode.
Finally, you’ll learn how Btool helps administrators quickly trace and verify configurations regardless of where they are defined in Splunk.

In this lecture, you’ll learn quick and practical tips to restart Splunk components efficiently during day-to-day administration. The session explains why selectively restarting only required processes is important for Splunk admins, developers, and architects. You’ll also understand how these shortcuts help save time and reduce service disruption.

The lecture then walks through fast CLI techniques for restarting Splunk Web without restarting the entire Splunk service. You’ll see how to use short commands and aliases to refresh the UI after configuration or visual changes.
The session also introduces browser-side debug refresh options available within Splunk Web.
Finally, you’ll gain practical hacks that help keep Splunk environments responsive and manageable with minimal downtime.

In this lecture, you’ll learn what data models are in Splunk and why they are essential for efficient reporting and analytics. The session explains how data models provide a structured, hierarchical view of indexed data to support faster searches and consistent field definitions. You’ll also understand when to use data models for dashboards, Pivot reports, and performance optimization in high-volume environments.

The lecture then walks through creating a data model using Splunk’s Data Model Editor. You’ll see how to define a root event, apply constraints, and build child datasets to organize different data sources. The session demonstrates adding and enriching fields using calculations, lookups, regex extractions, and geolocation. Finally, you’ll learn how data models serve as the foundation for accelerated searches, dashboards, and Pivot-based visualizations.

In this lecture, you’ll learn how data model acceleration works in Splunk and why it is critical for high-performance reporting. The session explains how accelerated data models store summarized data to deliver near-instant search results. You’ll also understand how field extraction and acceleration improve dashboard and report performance.

The lecture then walks through enabling auto-extracted fields and using Pivot to analyze accelerated datasets. You’ll see how to build reports and visualizations without writing SPL. The session demonstrates enabling acceleration, setting the acceleration time range, and understanding edit limitations. Finally, you’ll learn how to monitor acceleration status, storage usage, and build progress from the Data Models console.

In this lecture, you’ll learn how to use Splunk datasets and data models to build searches without writing SPL.
The session explains how datasets allow users to explore structured data created from data models.
You’ll also understand how datasets simplify reporting and analysis for users who are not familiar with search commands.

The lecture then walks through accessing datasets from the Data Models and Search & Reporting apps.
You’ll see how to use the visual dataset editor to select fields, rearrange columns, and apply calculations.
The session demonstrates building statistics such as counts and splits using a graphical interface.
Finally, you’ll learn how to save dataset results as tables for reuse in reports, alerts, or lookups.