Splunk - Beginner to Architect 2026

launch and secure a splunk deployment by creating an ubuntu server, configuring ssh key-based authentication, and tightening access with firewall rules for ports 22 and 8000.

Install docker desktop on Windows, launch the GUI to view images and containers, sign in to hub.docker.com, and learn to switch between WSL2 and Hyper-V while running docker info.

Launch and manage a Splunk docker container using the official splunk/splunk image, configure port mappings including 8000, and sign in with admin credentials to run multiple containers.

Explore how source types drive field extractions in Splunk, learn to assign correct source types, and install add-ons to enable regex-based parsing for accurate dashboards, searches, and alerts.

Discover how the Splunk search assistant provides auto-fill suggestions from history and documentation, with modes compact, full, and none, and how to customize it per user to streamline SPL queries.

Explore how splunk alerts use saved searches to monitor in real time or on a schedule, trigger when conditions are met, and notify via Slack or email for security attacks.

Install and configure the Splunk add-on for AWS to collect AWS data, manage credentials or IAM roles, and set inputs while respecting hardware needs and API call limits.

Explore how to add and configure a time range picker in Splunk dashboards, using presets, shared time pickers, and a submit button to refresh panels.

Learn to build and link a text-based input in Splunk dashboards, using a linux_secure source and dynamic fields like src port and sssd protocol for interactive filtering.

Explore the bucket life cycle: data moves from cold to frozen when index size or age thresholds are met, and frozen data is archived, not deleted, with TSIDX file removed.

Explore how Splunk workflow actions add interactivity between index fields and external web resources, using a client IP whois lookup via abuseipdb.com.

Understand how server class and deployment apps govern Splunk universal forwarders by generating inputs.conf and outputs.conf, and how deployment maps target Linux underscore logs to specific forwarders.

Learn how Splunk parses web server logs using custom regex or ready-made add-ons, and apply named capturing groups to extract fields like source_ip and request_time from nginx logs.

Explore how Splunk event types categorize data to simplify log analysis, with examples like success_purchase, invalid_user, and session_open, and learn their limitations such as no pipe or subsearch.

Explore Splunk access control by configuring authentication methods, managing users and roles, and assigning permissions to control access, with examples of multifactor authentication, LDAP, and a separate Splunk instance.

Explore Splunk access control by creating a custom role with restricted search terms and restricted time ranges, assign capabilities, and configure default apps to tailor user access.

Learn how to mask sensitive data at index time in Splunk by transforming credit card and SSN information before indexing, so analysts cannot view the original details.

Utilize the Splunk monitoring console to view pre-built dashboards of indexing performance, resource usage, license usage, and search performance, including distributed search and long-running searches.

Test replication across a two-peer splunk indexer cluster by uploading data on one node and verifying it appears on other as searchable and replicated copies for audit and telemetry indexes.

Explore the search head cluster infrastructure with two cluster member servers and a deployer that pushes configuration bundles. Learn how these members connect to indexers to fetch data.