Course Overview
The course covers topics and techniques for troubleshooting a standard Splunk distributed deployment using the tools available with Splunk Enterprise.
This course may be delivered in one day or, two days of 4.5 hour sessions.
Who should attend
Administrators
Certifications
This course is part of the following Certifications:
Prerequisites
To be successful, students should have a solid understanding of the following modules:
- What is Splunk? (Retired)
- Intro to Splunk
- Using Fields (SUF)
- Introduction to Knowledge Objects
- Creating Knowledge Objects (CKO)
- Creating Field Extractions (CFE)
- Splunk Enterprise System Administration (SESA)
- Splunk Enterprise Data Administration (SEDA)
Additional courses and/or knowledge in these areas are also highly recommended:
Outline: Troubleshooting Splunk Enterprise (TSE)
Module 1 – Splunk Troubleshooting Methods and Tools
- Describe the Splunk Troubleshooting Approach
- List Splunk Diagnostic Resources and Tools
- Create and Splunk a Diag
- Use RapidDiag
Module 2 – Indexing Problems
- Discover Splunk Deployment Topology and its Server Roles
- Identify Where to Check the Index-Time Pipeline Status
- Use the metrics.log to Clarify the Index-Time Problem
Module 3 – Input Configuration Problems
- Data Input Issues
- Troubleshooting Inputs with the Monitoring Console
Module 4 – Deployment and Forwarder Problems
- Deployment Server Issues
- Forwarding and Receiving Issues
Module 5 – Search Management Problems
- Troubleshoot Distributed Search Issues
- Identify Job Scheduling Problems
- Learn to Diagnose Crashing Problems
- Describe How to Prioritize Resources for Critical Splunk Processes
Module 6 – User Search Problems
- Identify the Types of Search Problems
- Isolate and Troubleshoot Search Problems