Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What resources are recommended if I've been made a Splunk administrator, but know very little about Splunk?

Raghav2384
Motivator
‎09-04-2014 09:50 PM

Hello Experts,

I know very little about splunk :(. Our only splunk expert decided to quit and i have been asked to take the responsibility starting with enterprise administration. Is referring to splunk admin manuals/documentation enough to start?
I mean is it 100% knowledge base or just to get you to speed?
Sorry if it sounds silly . I am running in 1000 directions right now

Any help is much appreciated.
Thanks,
Raghav

Reply

grijhwani
Motivator
‎09-05-2014 02:02 PM

You know more than I did when I became Splunk in-house "expert" (as I say to people I "went from zero to SME in the space of 5 days"). This is not to dismiss your concerns. Quite the contrary. I want to give you confidence that it is achievable very quickly. For the most part I would (as the others have said) learn the shape of your actual Splunk infrastructure. I had help, in that I was guided through a new set of installations by one of the previous admins, and I would say that a test installation (which you can afford to break and start from scratch), and a bit of tinkering will get you a long way.

Other than that I would suggest that you use the documentation (the online manual), the Wiki, and "Answers" as reference material, and for anything else you genuinely cannot find solutions for or which confuse you ask here. It's not as daunting as it may seem.

(Personally I don't recommend Splunk-on-Splunk, but that is because I have a personal prejudice about adding secondary packages like the third-party side utils SoS is dependent on. If you can frame a Splunk query, you can understand pretty much everything you need to from Splunks own "_*" indexes for yourself, and besides it is a good didactic exercise doing so and learning what you can find in there.)

Reply

koppolu17
Explorer
‎12-28-2015 02:23 PM

I went through same phase with 1 hour introduction to Splunk by manager, he sent me an e-mail to access splunk web, logs locations related to oracle Middleware WebLogic SOA suite, database and operations document(runbook).
After that I came home and installed splunk 5. Read Splunk docs to understand it better.
Splunk quickly expanded all over the world.
Reading Splunk answers helped me a lot.

0 Karma
Reply

piebob
Splunk Employee
Splunk Employee
‎09-04-2014 11:02 PM

it sounds like you need to get an understanding of what your current deployment looks like, and to review this manual, starting with this topic:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/LearnhowtoadministerSplunk

once you have reviewed this, you can move on to learning about the different roles/components of Splunk:
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Distributedoverview

at that point, you should be able to start asking specific questions (after first searching in the docs of course :)). this site (Answers) is much better suited to specific questions.

Reply

Raghav2384
Motivator
‎09-05-2014 07:31 AM

Thank you!!!! Really appreciate your help.

0 Karma
Reply

MarioM
Motivator
‎09-04-2014 10:37 PM

Additionally to ppablo_splunk comment my second step would be to check my splunk health status using different apps:

If you have a large distributed deployment i would have a dedicated search head only for those apps.

Reply

Raghav2384
Motivator
‎09-05-2014 07:32 AM

Thank you Mario!Cheers!

0 Karma
Reply

ppablo
Retired
‎09-04-2014 10:10 PM

Hi @Raghav2384

How little is little exactly? If you haven't really used Splunk before, going straight into the admin manual might be a big jump. I'd suggest going through the Search Tutorial on the Splunk documentation page (http://docs.splunk.com/Documentation ) first which will help you get started with understanding Splunk and its many features, just to touch the surface.

Do you know what version of Splunk you are running?

Reply

Raghav2384
Motivator
‎09-05-2014 07:31 AM

Thank you ppablo! Cheers!

0 Karma
Reply

ppablo
Retired
‎09-04-2014 11:12 PM

Hi @Raghav2384

In that case, I think going through the suggested documentation referenced by @piebob would be a good place to start since you're familiar with the basics. The apps suggested by @MarioM (and many other apps) will definitely be worth checking out once you have a better grasp on your role and knowledge as an admin. Good luck!

Reply

Raghav2384
Motivator
‎09-04-2014 10:33 PM

Hi ppablo, i have experience in building reports,dashboards, alerts, knowledge objects and installed splunk free and edited conf files on a tiny scale setup (used 4 laptops - 2 having forwarders etc) . i haven't done administration at all. Example: I know indexer and how it is a full splunk ent version but don't know how to disable features like 'use it only for indexing but not searching'. Basically, i am reading all different manuals without knowing the practical way of doing it. Any help would be great. My ADHD situation is making it worse :(.Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...