Queries on Splunk Core Certified User certification

csjcsj Member Posts: 2 ■□□□□□□□□□
Hi All,

I am planning for Splunk Core Certified User certification but not sure from where I should start.
Could you please let us know best learning approach so that I can get desired score in certification.


  • McxRisleyMcxRisley Member Posts: 494 ■■■■■□□□□□
    The training for the Splunk user course is free through Splunk. The best thing you can do is start using Splunk right now and get familiar with moving around the application and memorize where all of the settings are and what pages they are under. This is the biggest part of the user exam, knowing your way around Splunk and some of the basics on the architecture of a deployment.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • cledford3cledford3 Member Posts: 66 ■■■□□□□□□□
    We are a new Splunk Enterprise Security shop and I'd love feedback on the Splunk Fundamentals Part 2 mess - specifically which version of the class to take to be able to pass the *required* certification exam. 

    After the much ballyhooed free Splunk Fundamentals Part 1 (which is sort of a joke), to take *any* of the ES Security *TRAINING CLASSES* (or any others), everyone must first take one or more "pre-requisite" classes (at several thousand dollars a piece) and then ALSO pass certification exams at Prometric for another $125 each.  Exams don't bother me much (I hold a CISSP and several other certs) but it is very obnoxious that Splunk won't allow a paying customer to take their training without also paying for 2 pre-requisite classes that both have individual exams to complete!  My issue is the time involved more than anything, and I've never seen a vendor in my 25 year career so hard nosed about all of this.  They don't tell you any of this before you buy, and you are essentially locked out of training you need until you buy training you may not want, and also obtain a certification you may not want - so the "free" Splunk training thing that gets thrown around gets my blood boiling!  They make their money back and then some!

    Anyhow, I've taken "Splunk 7.x Fundamentals Part 1" and now need to take part 2 so I can take the exam.    The issue is that there are two versions (not content deliveries, there are two of those also...) and Splunk can't even say which to take!  The issue is that there is "IOD" (instructor on demand - in other words, online self paced with an email address you can send questions to), or "Instructor Led" classes - but the IOD is version *7.x only*, and the Instructor led is 8.0 only!  Given that there was ALSO a 7.3 Essentials Part 2 and I'm left confused and wondering which class to take.  I engaged my Splunk account team, Splunk VAR, and the Splunk Education Team, and no one can tell me what the difference is - aside from the 7.x being only 2 days and the 8.0 being 4 days!

    Any help would be enormous!  I would MUCH prefer to take the IOD class due to time constraints and flexibility (learn at your own pace) - but I don't want to miss out on testable content that had changed from "7.x" to 8.0 and then fail the exam and have to take it multiple times - again, just to get into the ES class I need.

    I'll also offer this advice - serious consider whether you need Splunk before buying it - at least as a as a security tool/SIEM.  It is *extremely* pricey, the back-end is a bear to manage, and documentation (books, training, 3rd party stuff or Splunk) is virtually non-existent.  They are super proud of the "splunkbase" which is (IMHO) a poor excuse for real documentation - more like leverage your customers to support your product for free.  We are a medium sized Healthcare system and spent a TON on splunk (between entitlement 7 hardware) and this training crap is the final straw - I wish we'd gone a different direction.  If you do go Splunk, strongly consider the Cloud version to avoid the massive infrastructure management burden on top of everything else.

    Thanks for any input,

Sign In or Register to comment.