Sort of OT, but CISSP here with a Splunk question and some commentary...

cledford3

This is sort of off topic but I'm a CISSP (I leveraged this forum heavily for both my CISSP and HCISPP) at medium sized healthcare system with a Splunk question regarding training/certification and some commentary on my experiences as a customer so far with Splunk.

We are a new Splunk Enterprise Security shop and I'd love feedback on the Splunk Fundamentals Part 2 certification mess - specifically which version of the class to take to be able to pass the *required* certification exam. 

After the much ballyhooed free Splunk Fundamentals Part 1 (which is sort of a joke), to take *any* of the ES Security *TRAINING CLASSES* (or any others), everyone must first take one or more "pre-requisite" classes (at several thousand dollars a piece) and then ALSO pass certification exams at Prometric for another $125 each.  Exams don't bother me much (passed my CISSP on first try and hold several other certs) but it is very obnoxious that Splunk won't allow a paying customer to take their training without also paying for 2 pre-requisite classes that both have individual exams to complete!  My issue is the time involved more than anything, and I've never seen a vendor in my 25 year career so hard nosed about all of this.  They don't tell you any of this before you buy, and you are essentially locked out of training you need until you buy training you may not want, and also obtain a certification you may not want - so the "free" Splunk training thing that gets thrown around gets my blood boiling!  They make their money back and then some!

Anyhow, I've taken "Splunk 7.x Fundamentals Part 1" and now need to take part 2 so I can take the exam.    The issue is that there are two versions (not content deliveries, there are two of those also...) and Splunk can't even say which to take!  The issue is that there is "IOD" (instructor on demand - in other words, online self paced with an email address you can send questions to), or "Instructor Led" classes - but the IOD is version *7.x only*, and the Instructor led is 8.0 only!  Given that there was ALSO a 7.3 Essentials Part 2 and I'm left confused and wondering which class to take.  I engaged my Splunk account team, Splunk VAR, and the Splunk Education Team, and no one can tell me what the difference is - aside from the 7.x being only 2 days and the 8.0 being 4 days!

Any help would be enormous!  I would MUCH prefer to take the IOD class due to time constraints and flexibility (learn at your own pace) - but I don't want to miss out on testable content that had changed from "7.x" to 8.0 and then fail the exam and have to take it multiple times - again, just to get into the ES class I need.

I'll also offer this advice - serious consider whether you need Splunk before buying it - at least as a security tool/SIEM.  It is *extremely* pricey, the back-end is a bear to manage, and documentation (books, training, 3rd party stuff or Splunk) is virtually non-existent.  They are super proud of the "splunkbase" which is (IMHO) a poor excuse for real documentation - more like leverage your customers to support your product for free.  We are a medium sized Healthcare system and spent a TON on splunk (between entitlement and hardware) and this training crap is the final straw - I wish we'd gone a different direction.  If you do go Splunk, strongly consider the Cloud version to avoid the massive infrastructure management burden on top of everything else.

Thanks for any input,

-Calvin

McxRisley

Several year Splunk System/Data/ES admin here, I would say that you will be fine with taking the 7.x courses since not much has changed from 7.x to 8. The main difference is that 8 is making the push to be python 3 only but it will still work with some python 2.x IF Splunk or the creators of the apps/add-ons provide the correct updates for it to work. Also, splunkbase is the site where the apps are hosted, the actual documentation for the apps is on splunk docs. Something to keep in mind when searching for apps to use is to make sure that they are actually supported, it will tell you whether they are or not on splunkbase. On top of that, the majority of apps and add-ons are not created by Splunk and thus, are not maintained by them. So the lack of documentation on some of the apps/add-ons is not Splunks fault because they did not make them or support them.

Also on your point of the back-end being a bear to manage, it can be quite troublesome if you don't know what you're doing but I manage 3 very large networks solely by myself and have no problems managing the back-end. This was not without A LOT of trial and error on my part though but that's because I was new to it at the time. Splunk is actually the easiest to manage out of all the SIEMS available and the price is actually on par with its competitors when you compare the pricings. I could get into me opinion on the cloud side of Splunk but that would be a massive post lol. Long story short, if you can deal with not being able to immediately access the back-end of your servers and fix problems and also not having access to them if you fiber to the GIG gets cut (yes this happens a lot where i work), then the cloud MIGHT be the right solution for you.