Splunk Certified User Exam Review

KiyoriKiyori Member Posts: 40 ■■■□□□□□□□

I failed the first Splunk exam (SPLK-1001: Splunk Core Certified User) this afternoon.

However, I wanted to provide a review as it is fairly new. I decided to take the exam, as the end of the free fundamentals course recommended it. This was a “I don’t know what I’m getting into, but I have to do something about it” moment for me.

The exam is 60 multiple-choice questions with a 60 minute time limit. The cost for a Splunk exam voucher is $125. Register on Splunk’s website first, then use the ID they provide to you in an email to register an account on PearsonVUE.

I completed the free Splunk Fundamentals 1 course offered from Splunk two days prior to the exam. My experience with Splunk is limited to the labs in the free course, and lightly exploring the product at the office. Ok, basic information is out of the way. Here’s what I wish I knew and did:

Read the exam blueprint!

Like most certification exams, the free course was not enough to prepare for it. Do the free course, then do it again. Then do it one more time. Pay attention to small details. You will need to know which words turn which color, correct syntax, and which words are case-sensitive.

Information for each command is very important; you will need to know how to rename fields, sort fields, limit fields, etc. In addition, the exam is tricky – they may put two answers that are VERY SIMILAR – these might be clear to those who are experienced using Splunk, but can be tricky for beginners.

Booleans – learn them, review them, practice, practice, practice. Pay attention to how they are written in the search bar. Practice generating long (not necessarily complex) search strings. For example, try searching more than one index and more than one Boolean statement. Remember how algebra has an order of operations and can specify what happens first with parenthesis? Apply that to your practice searches.

You will also need to know default settings for commands, reports, searches, etc. The exam can get tricky by providing two answers which look like they are both correct – the only difference being one includes a description of default values.

I feel a lot better having sat for the exam and experiencing what it was like. Having discovered the blueprint and seeing the exam results, I can narrow down where I need to focus.

And now back to the training.


Comments

  • jogurt8006jogurt8006 Registered Users Posts: 3 ■■□□□□□□□□
    Thanks Kiyory for sharing your experience - I will also try to take this exam - Have you found other useful information on the web for this exam?
     
  • butters0_0butters0_0 Registered Users Posts: 3 ■■□□□□□□□□
    It's also helpful to download the course material (PDF) that is provided, it has a lot of details that will be in the exam. Also reviewing the lab materials (PDF) will also help.
  • jogurt8006jogurt8006 Registered Users Posts: 3 ■■□□□□□□□□
    SPLUNK - core certified user
    Experience:
    Sortorder on alarms page
    dc or distinct-count
    field + vs. dedup - what brings performance
    dashboard - what all can be edited
    rare 
    export format of statistics
    all Fields in the side-bar
    _time@indextime
    @ function for time
    timepicker
    > < operator
    how to effective use *
    where to set pips
  • jogurt8006jogurt8006 Registered Users Posts: 3 ■■□□□□□□□□
    After the 60 question it is possible to review all the questions and maybe change the answers.
    The answers are very similar you have to read them carefully 
  • Goteki54Goteki54 Member Posts: 79 ■■■□□□□□□□
    I passed the fundemental part 1 course. The video helped but the labs and getting a feel for it helpe to make sense of it. I'm planning on going for the Splunk Core User cert next month. There is limited third party material for Splunk I may take the  Udemy course prior to taking the exam.
    CompTIA A+, Network+, Security +., SSCP
  • MalwareMikeMalwareMike Member Posts: 147 ■■■□□□□□□□
    Did you end up taking the exam again?
    Current: GSEC, GCIH, GCIA, GWAPT, GYPC, RHCSA, WCNA
    2019 Goals: CISSP, Splunk certifications (Certified Core, Power User, Admin, and Architect)
    Twitter: https://twitter.com/Malware_Mike
    Website: https://www.malwaremike.com

  • 2736472837373827364728373738 Member Posts: 1 ■■□□□□□□□□
    Hi All,

    Just took the (SPLK-1001: Splunk Core Certified User), this morning and thankfully passed. I concur with @jogurt8006 and his list of subject matter to focus on. As it will be of help to make sure you’re familiar with those topics before taking the exam. 

    Additionally, the 234 page, PDF is a critical resource to be well acquainted with before attempting the exam. There were some questions that, to my knowledge, were not completely covered throughout the base, fundamental course videos/labs.

    Perhaps these areas were thought to be implied by paying closer attention to detail while engaging with the application hands on, which could be assumed as the ultimate objective of the training initiative.

    My personal experience was going through the fundamental course twice (including videos, labs and quizzes), reading the provided PDF thoroughly, then skimming through again. Most importantly, getting hands on with the application and exploring all of the things learned from both, the fundamentals course and the PDF. As this will get you better aquatinted with the UI. This will help you not only on the test but ultimately get you more comfortable with the application. Which at the end of the day trumps a piece of paper that expires in two years anyway.

    I would like to comment, that this is a pay attention to details exam. There will be questions based on the PDF, where you’ll be thinking “they’ll never ask something that specific”, and then bam, there it is. So just use this time to learn and become a better Splunk user. All in all, the most valuable thing we can take away from this (aside from a potential job), is the ability to consistently apply the knowledge gained. Not just the 30 seconds of excitement you feel for attaining yet another certification.

    Anyways, that’s just my humble thoughts for anyone who is about to take this exam. I personally thought it was a fair assessment of the skills required for the level 1 core user.

    Kindest regards,

    -IB 
  • KiyoriKiyori Member Posts: 40 ■■■□□□□□□□
    Did you end up taking the exam again?
    Haven't taken it again just yet - it is still on the to do list!  Still training!

    Hi All,

    Just took the (SPLK-1001: Splunk Core Certified User), this morning and thankfully passed. I concur with @jogurt8006 and his list of subject matter to focus on. As it will be of help to make sure you’re familiar with those topics before taking the exam. 

    Additionally, the 234 page, PDF is a critical resource to be well acquainted with before attempting the exam. There were some questions that, to my knowledge, were not completely covered throughout the base, fundamental course videos/labs.

    Perhaps these areas were thought to be implied by paying closer attention to detail while engaging with the application hands on, which could be assumed as the ultimate objective of the training initiative.

    My personal experience was going through the fundamental course twice (including videos, labs and quizzes), reading the provided PDF thoroughly, then skimming through again. Most importantly, getting hands on with the application and exploring all of the things learned from both, the fundamentals course and the PDF. As this will get you better aquatinted with the UI. This will help you not only on the test but ultimately get you more comfortable with the application. Which at the end of the day trumps a piece of paper that expires in two years anyway.

    I would like to comment, that this is a pay attention to details exam. There will be questions based on the PDF, where you’ll be thinking “they’ll never ask something that specific”, and then bam, there it is. So just use this time to learn and become a better Splunk user. All in all, the most valuable thing we can take away from this (aside from a potential job), is the ability to consistently apply the knowledge gained. Not just the 30 seconds of excitement you feel for attaining yet another certification.

    Anyways, that’s just my humble thoughts for anyone who is about to take this exam. I personally thought it was a fair assessment of the skills required for the level 1 core user.

    Kindest regards,

    -IB 
    Thanks for the good info!  I will definitely keep this in mind!
  • wstadler6482wstadler6482 Member Posts: 4 ■■□□□□□□□□
    I completed the Fundamentals 1 and 2 twice now and also have been going through the more detailed downloadable PDF material for each.  This helped tremendously with my practice exams but I plan on reading through the Fundamentals 1 PDF material again over the course of the next 4 night shifts here at work.  I take the exam Thursday, May 9th and will let you all know how it goes.  I have two friends who work for Splunk and my ultimate goal is to apply and hopefully get an interview which is why I am going to go ahead and complete the certification as well as take basic Linux through Linux Academy.  Any thoughts or past experiences with getting hired by Splunk?  Any input is greatly appreciated!  Thanks in advance. 
  • McxRisleyMcxRisley Member Posts: 494 ■■■■■□□□□□
    I completed the Fundamentals 1 and 2 twice now and also have been going through the more detailed downloadable PDF material for each.  This helped tremendously with my practice exams but I plan on reading through the Fundamentals 1 PDF material again over the course of the next 4 night shifts here at work.  I take the exam Thursday, May 9th and will let you all know how it goes.  I have two friends who work for Splunk and my ultimate goal is to apply and hopefully get an interview which is why I am going to go ahead and complete the certification as well as take basic Linux through Linux Academy.  Any thoughts or past experiences with getting hired by Splunk?  Any input is greatly appreciated!  Thanks in advance. 
    Getting hired directly by Splunk will require at least being a certified admin with numerous years of experience directly in Splunk. Your best bet is getting hired by a company that is a Splunk partner and try to gain a few years of experience there. I am the sole system/data admin for 2 entire deployments and the user courses barely even begin to touch on the search function capabilities within Splunk.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • wstadler6482wstadler6482 Member Posts: 4 ■■□□□□□□□□
    I do appreciate your feedback and I somewhat disagree.  My one friend is a Senior Professional Services Consultant and my other friend is a Principal Engineer.  They both told me with my ISSO and Database management/Data mining experience, and my SCI clearance plus getting Splunk certs gives me a great chance to get my foot in the door.  They sent my one friend through 12 weeks of training and boot camp based on his SCI clearance and limited Splunk experience.  

  • McxRisleyMcxRisley Member Posts: 494 ■■■■■□□□□□
    I do appreciate your feedback and I somewhat disagree.  My one friend is a Senior Professional Services Consultant and my other friend is a Principal Engineer.  They both told me with my ISSO and Database management/Data mining experience, and my SCI clearance plus getting Splunk certs gives me a great chance to get my foot in the door.  They sent my one friend through 12 weeks of training and boot camp based on his SCI clearance and limited Splunk experience.  

    Well if you have those kind of connection then go for it man! But you asked for an opinion so I gave it to you based on my experience.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • wstadler6482wstadler6482 Member Posts: 4 ■■□□□□□□□□
    I absolutely appreciate you responding, and do value your opinion as a Splunk employee.  You are more than likely correct for the average person with limited IT background and no Splunk experience getting their foot in the door.  Wish me luck with this whole process and may good fortune be with you in your Splunk career.
  • wstadler6482wstadler6482 Member Posts: 4 ■■□□□□□□□□
    To All,

    I just finished taking my Splunk Core User Exam and passed.  I used the Fundamentals 1 course, as well as, the PDF provided.  I highly recommend focusing on the PDF the most because it includes a lot of good notes that are on the exam.  Good luck on your Splunk journey.


    Will
  • KiyoriKiyori Member Posts: 40 ■■■□□□□□□□
    Hi All,
    I just retook the exam (a year later) and passed!  I definitely had more experience using Splunk in the office, which helped a lot.  Since that time, I've done Fundamentals 1 & 2, Advanced Search & Reporting, and Enterprise Security courses.  I've also done some courses through Udemy.

    I would say that my initial review of this exam holds true to this day.  You need to pay attention to SMALL details.  For example, is the correct syntax "field" or "fields".  Very silly, in my opinion, but there were many questions like that.

    Definitely reading the exam blueprint and basing study off of that helps!  A lot of the questions, I knew what the query was, but I was not thinking about how Splunk defines their own things - I kind of have my own definitions based on the real-life scenarios I've had to use Splunk for.

    Lots of good information in this thread, I hope it is a great resource for all those considering this beginning certification!

    -kiyori
  • tripleatriplea Member Posts: 190 ■■■■□□□□□□
    hi

    did you need to build or load any VM's or anything for the labs?

    also did I see you can access the official documentation during the exam?

    how much did it REALLY teach you?

    Cheers.
  • KiyoriKiyori Member Posts: 40 ■■■□□□□□□□
    triplea said:
    hi

    did you need to build or load any VM's or anything for the labs?

    also did I see you can access the official documentation during the exam?

    how much did it REALLY teach you?

    Cheers.
    hi triplea,
    I needed to build VMs for the Fundamentals 1 labs.  For the Fundamentals 2 labs, they are hosted online and you don't need to build anything.

    You cannot access the official documentation during the exam.

    TL;DR - it depends on how much you want to learn
    As far as how much it REALLY taught me - like anything else, it just depends on the individual.  There are a lot of things from the Fundamentals 1 and 2 courses that I use on a daily basis, and other things that I don't.  For example, I don't worry about building any Splunk architecture - but I do use the search functions, transformation commands, booleans, and any other type of data massaging to get what I need. You can sit for as many courses as you like, but if you don't live in the tool or practice the skills you learn in the courses, then most people will forget what they learned.

    -kiyori
  • divik7divik7 Member Posts: 1 ■□□□□□□□□□
    Hi,
    I have just attended the splunk core user certified exam through online proctoring but when i ended my exam i was not able to find if i had passed or failed. When do we know if we passed or failed? When i go to my account it says exam completed and delivered succeessfully.no other information is found. Please advise.
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    edited May 2020
    My advice is to contact Splunk Education and ask them the current status of your exam.
Sign In or Register to comment.