Splunk User Cert 6.x

--chris----chris-- Member Posts: 1,518 ■■■■■□□□□□
I sat for and passed this exam this morning.

Method was internet based, no proctor.

Difficulty was 6/10, I felt a handful of questions were very specific and not covered in the training materials, videos or labs.

I spent a week or two going through all of the labs several times. Understanding SPL, search basics and transforming commands is a very important part of the exam. Equally important is understanding what happens by default for certain commands as well as what each function of an enterprise Splunk deployment consists of (and what it does) ala indexer, search head, forwarder.

Being able to spot improper SPL syntax is important as well.

I start Fundamentals II next week, then sit for the next cert. I will follow up once I have sat for that exam as well.

Comments

  • shochanshochan Member Posts: 1,014 ■■■■■■■■□□
    Yeah, I failed it the first time 58%...and yeah, the quizzes did not even get you ready for the actual exam...I can take it again, but only when I have prepared more. I agree, taking the labs over & over should reinforce the knowledge...and I need to reread that 241 pg Fundamentals I pdf and have a better understanding before I take it again.

    Congrats!
    CompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC, ISC² SSCP
  • GeekyChickGeekyChick Member Posts: 323 ■■■■□□□□□□
    Hey, that's not fair. :) I failed the first time.

    No really, congrats!

    I would like to hear about your experience with Fundamentals II when you take it. I will probably be doing that in a few weeks.
  • --chris----chris-- Member Posts: 1,518 ■■■■■□□□□□
    shochan wrote: »
    Yeah, I failed it the first time 58%...and yeah, the quizzes did not even get you ready for the actual exam...I can take it again, but only when I have prepared more. I agree, taking the labs over & over should reinforce the knowledge...and I need to reread that 241 pg Fundamentals I pdf and have a better understanding before I take it again.

    Congrats!

    The biggest "help" I had in preparing for the exam was using multiple sources for the subject matter. By that I mean if the lab PDF said "extract the top 20 fields from this search" its obviously asking for you to use the TOP transforming command. Good, but not good enough. I would go and read the splunk page for the TOP command then try all of the examples listed on that page.

    I spent a lot of time just "screwing around" in splunk with all the SPL and transforming commands, chaining them together, modifying behavior, swapping this out for that and observing the change.

    For things like using Pivot or creating alerts, I would use youtube, the PDFs and splunk wiki articles (using all three as "lab" guides, following along and stopping whenever I ran into something that could be done multiple ways...then doing whatever it is all those other ways).
  • --chris----chris-- Member Posts: 1,518 ■■■■■□□□□□
    GeekyChick wrote: »
    Hey, that's not fair. :) I failed the first time.

    No really, congrats!

    I would like to hear about your experience with Fundamentals II when you take it. I will probably be doing that in a few weeks.

    I start it tomorrow. A coworker is a little further ahead on the splunk training than I am and he said it built on Fundamentals 1 but was not a huge step up in complexity.
  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    --chris-- wrote: »
    I start it tomorrow. A coworker is a little further ahead on the splunk training than I am and he said it built on Fundamentals 1 but was not a huge step up in complexity.

    Is this tool strictly for security or do you see it being leveraged in other domains as well?
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    Is this tool strictly for security or do you see it being leveraged in other domains as well?

    It can be used for anything that is relevant to IT infrastructure. Troubleshooting, resource distribution, behavior analysis, application visibility, compliance, etc etc. Traffic that traverses the network generates massive amount of data. All that traffic can he correlated and mapped to whatever hypotheses you have to hopefully assist you with coming up with whatever conclusion you were after.
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    By the way according to Wiki, Splunk is one of the highest employee paying company in the US. Worth looking at their openings.
  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    Thanks for the clear description....

    I'm an ETL / Data Analyst looking to grow my skills. I've been banging this one around for a little while. I have very little knowledge in the security domain, but really enjoyed looking at AD meta data to uncover / solves questions for the business / enterprise....

    Mainly heavy SQL and ETL tools, SSIS, Informatica but have had to leverage powershell in the past for certain projects.......

    The idea of running studies on the enterprise sound like A LOT OF FUN.
  • --chris----chris-- Member Posts: 1,518 ■■■■■□□□□□
    I would suggest signing up for the fundamentals 1 course. Its pretty short and free.

    https://www.splunk.com/en_us/training/courses/splunk-fundamentals-1.html

    This introduces splunk and gives some good examples of how it is used or can be used.

    For our purposes, we will be using it primarily for security & auditing but as we learn it the plan is to expand it so that other teams can request data from us.
  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    Chris thanks a lot appreciate the link and information.
  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    Funny stuff here.


    Went through the first 4 modules of the Splunk training, and kind of lost interest, but ended up spending 2 hours getting back into Powershell lol.

    Opening documents using comobjects etc....

    Sorry to derail the topic but I thought it was worth mentioning. I had a good time.
  • --chris----chris-- Member Posts: 1,518 ■■■■■□□□□□
Sign In or Register to comment.