Course Topics

  • Transforming commands and visualization
  • Filtering and formatting Results
  • Correlating events
  • Knowledge objects
  • Fields (Field aliases, field extractions, calculated fields)
  • Tags and event types
  • Macros
  • Workflow actions
  • Data models
  • Splunk Common Information Model (CIM)

Course Prerequisites

Splunk 6.6 Fundamentals Part 1

Class Format

Instructor-led lecture with labs, delivered via virtual classroom or at your site.

Course Objectives

This training's objectives gather: searching and reporting with Splunk part 2, creating Splunk Knowledge objects and Infrastructure overview.

Module 1 – Introduction

  • Overview of Buttercup Games Inc.
  • Lab environment

Module 2 – Beyond Search Fundamentals

  • Search fundamentals review
  • Case sensitivity
  • Using the job inspector to view search performance

Module 3 – Using Transforming Commands for Visualizations

  • Explore data structure requirements
  • Explore visualization types
  • Create and format charts and timecharts

Module 4 – Using Mapping and Single Value Commands

  • The iplocation command
  • The geostats command
  • The geom command
  • The addtotals command

Module 5 –Filtering and Formatting Results

  • The eval command
  • Using the search and where commands to filter results
  • The filnull command

Module 6 – Correlating Events

  • Identify transactions
  • Group events using fields
  • Group events using fields and time
  • Search with transactions
  • Report on transactions
  • Determine when to use transactions vs. stats

Module 7 – Introduction to Knowledge Objects

  • Identify naming conventions
  • Review permissions
  • Manage knowledge objects

Module 8 – Creating and Managing Fields

  • Perform regex field extractions using the Field Extractor (FX)
  • Perform delimiter field extractions using the FX

Module 9 – Creating Field Aliases and Calculated Fields

  • Describe, create, and use field aliases
  • Describe, create and use calculated fields

Module 10 – Creating Tags and Event Types

  • Create and use tags
  • Describe event types and their uses
  • Create an event type

Module 11 – Creating and Using Macros

  • Describe macros
  • Create and use a basic macro
  • Define arguments and variables for a macro
  • Add and use arguments with a macro

Module 12 – Creating and Using Workflow Actions

  • Describe the function of GET, POST, and Search workflow actions
  • Create a GET workflow action
  • Create a POST workflow action
  • Create a Search workflow action

Module 13 – Creating Data Models

  • Describe the relationship between data models and pivot
  • Identify data model attributes
  • Create a data model
  • Use a data model in pivot

Module 14 – Using the Common Information Model (CIM)

  • Add-On
  • Describe the Splunk CIM
  • List the knowledge objects included with the Splunk CIM Add-On
  • Use the CIM Add-On to normalize data

Date and Registration

The next training will be held from March 7th to 9th 2018 (a future session will be scheduled in October)

The registration fees are €1.900. To complete your registration, please send a email to stating your full name, company and professional email address.

The conditions below (for Training proposals) prevail upon the General Terms and Conditions on the following topics: 

Invoicing and payment

With your course confirmation (at least 5 working days in advance) you will receive the invoice which is payable upon receipt, before the start of the course.

Cancellation or postponement

You may cancel or postpone your registration free of charge with a written notice given more than 10 working days before the course starts.

If your cancellation or postponement notice arrives 9 or less working days before the course starts, EBRC reserves its right to invoice 50% of the course price. If your cancellation or postponement notice arrives 5 or less working days before the course starts or the participant does not come for the course, EBRC reserves its right to invoice 100% of the course price. Cancellation/postponement must be received in writing and be acknowledged by EBRC. Replacement of a participant with another is free of charge.

Course postponed or cancelled

EBRC reserves its right to postpone or cancel a course when necessary, for instance when not enough participants are registered or due to force majeure events. We will endeavor to notify participants at least 5 working days in advance (except in cases of force majeure). In case of postponement, all participants will automatically be registered for the next session of the same course.