O-Line Security Logo
Login
O-Line Security/Workshop - Splunk Architect
Buy now

  • $199.99

Workshop - Splunk Architect

  • Course
  • 89 Lessons

The Splunk Architect Workshop is designed to take you beyond basic usage and into real-world system design. You won’t just learn how Splunk works. You’ll build a full distributed Splunk environment from the ground up and understand exactly why each component exists. This is hands-on, end-to-end architecture training.
Buy now

Contents

Section 0 - Welcome & Orientation

About O-Line Security
Preview
Your Instructor

Section 1 - Foundations

Expectations & Objectives
Inside the Role: Splunk Architect
The Architecture You’ll Build
Manual First: Understanding Before Scaling

Section 2 - Environment Planning & Setup

Why AWS EC2 Infrastructure?
Understanding AWS Costs for Splunk Labs: Instances, Storage, and Optimization
Creating an EC2 Instance for Splunk Deployment
Installing Splunk Enterprise
Configuring Splunk Enterprise
EC2 Instance Lifecycle and IP Changes: What to Know Before You Stop or Start
Creating EC2 Instances for Splunk Architecture Labs
Configuring Security Groups for Splunk Architecture Labs
Downloading and Installing Splunk Enterprise for Splunk Architect Labs
Configuring Disk Usage Thresholds in Splunk
Final Environment Validation and Readiness Check

Section 3 - Core Architecture

What Makes a Splunk Deployment Architected
Distributed vs Clustered Splunk Architectures
Core Components of Splunk Architecture
Understanding Splunk Data, Management, and Search Paths
Essential Ports in Splunk Architecture
Designing the Target Architecture End State
What Indexer Clustering Actually Is
Replication Factor vs Search Factor Explained
Cluster Manager Responsibilities and Control Plane
Understanding Indexer Peer Nodes
How Indexer Clustering Works Behind the Scenes
Validating Indexer Clustering
Common Indexer Clustering Mistakes
Indexer Clustering Recap

Section 4 - Splunk Architecture Design

End-to-End Splunk Architecture Overview
Role of the Cluster Manager
Role of Indexers in Splunk Architecture
Role of the Search Head
Role of the Deployer
Role of the Deployment Server
Role of Universal Forwarders
How Splunk Components Communicate
Essential Ports in Splunk Architecture
Understanding pass4SymmKey and Shared Secrets

Section 5 - Building the Indexing Layer

Configuring the Cluster Manager (Part 1)
Configuring the Cluster Manager (Part 2)
Configuring the Cluster Manager (Part 3)
Configuring Indexer Node 1
Configuring Indexer Node 2
Creating Useful Splunk CLI Aliases
Validating Indexer Peer Connectivity
Disabling Splunk Web on Indexers
Validating Splunk Web Configuration
Enabling Indexer Data Receiving

Section 6 - Building the Search Layer

Search Head Cluster Initialization Overview
Initializing Search Head Cluster Members
Bootstrapping the Search Head Cluster Captain
Troubleshooting Search Head Cluster Bootstrap
Validating Search Head Cluster Health
Configuring the Deployer
Pushing Apps to the Search Head Cluster
Validating Deployer App Distribution
Validate Deployment App via UI
Connecting Search Heads to the Indexer Cluster
Validating Search Head to Indexer Configuration
Validating Search Head Cluster in the UI
O-Line Demo Dashboard XML File
Commands to Test Deployer Push

Section 7 - Forwarding, Deployment, and App Distribution

Understanding Control Path vs Data Path
Validating Indexer Receiving on Port 9997
Installing the Universal Forwarder
Configuring the Deployment Client
Configuring outputs.conf for Data Forwarding
Configuring inputs.conf for Data Collection
Creating Indexes on the Indexer Cluster
Making Indexes Available to the Search Layer
Creating and Managing Server Classes
Validating Deployment App Distribution
Troubleshooting Deployment Issues
Generating Sample Data for Ingestion
Validate Ingestion via UI
Validating Deployment Server in the UI
End-to-End Data Pipeline Validation
Apache Logs
Commands to Initialize SHC and Bootstrap Captain

Section 8 - Capstone Project

Capstone Project

Section 9 - Career Development Pack

Career Development
Resume Builder
Interview Q&A
LinkedIn Post Template

Section 10 - Next Steps

Closing Notes
One Final Thought