Description
While Splunk Clusters are supported in Windows environments, the class lab environment is running Linux instances only.
Please note that this class may run over three days, with 4.5 hour sessions each day.
Who should attend
This 13.5-hour module is for an experienced Splunk Enterprise administrator who is new to Splunk Clusters.
Prerequisites
To be successful, students should have a solid understanding of the following modules:
- Splunk Fundamentals 1 (Retired)
- Splunk Fundamentals 2 (Retired)
Or the following single-subject modules:
What is Splunk? (WIS)
Intro to Splunk (ITS)
Using Fields (SUF)
Scheduling Reports & Alerts (SRA)
Visualizations (SVZ)
Leveraging Lookups and Subsearches (LLS)
Search Under the Hood (SUH)
Intro to Knowledge Objects (IKO)
Creating Knowledge Objects (CKO)
Enriching Data with Lookups (EDL)
Data Models (SDM)
Introduction to Dashboards (ITD)
Student should also have completed the following modules:
Splunk Enterprise System Administration (SESA)
Splunk Enterprise Data Administration (SEDA)
Troubleshooting Splunk Enterprise (TSE)
Course Objectives
- Large-scale Splunk Deployment Overview
- Identify factors affecting large-scale Splunk deployments
- Set up Splunk indexer clusters
- Deploy and configure a Splunk search head cluster
- Add new nodes into an existing cluster
- Decommission nodes from an existing cluster
- Deploy apps and configuration bundles in Splunk clusters
- Manage KV store collections and lookups in Splunk clusters
- Monitor and identify clustering issues with Monitoring Console
- Scale Splunk indexer cluster with SmartStore
Course Topics:
- Large-scale Splunk Deployment Overview
- Single-site Indexer Cluster
- Multisite Indexer Cluster
- Indexer Cluster Management and Administration
- Forwarder Configuration
- Search Head Cluster
- Search Head Cluster Management and Administration
- KV Store Collection and Lookup Management
- SmartStore Implementation Overview
Outline: Splunk Cluster Administration (SCLA)
Topic 1 – Large-scale Splunk Deployment Overview
- Factors that affecting deployment design
- How Splunk Enterprise can scale
- Splunk License Master
Topic 2 – Single-site Indexer Cluster
- How Splunk Single-Site Indexer Clusters Work
- Indexer Cluster Components and Terms
- Splunk Single-Site Indexer Cluster Configuration
- Splunk Indexer Cluster Log Channels
Topic 3 – Multisite Indexer Cluster
- How Splunk Multisite Indexer Clusters Work
- Multisite Indexer Cluster Terms
- Multisite Indexer Cluster Configuration
- Optional Multisite Indexer Cluster Configurations
Topic 4 – Indexer Cluster Management Administration
- Peer Offline and Decommission
- Master App Bundles
- Indexer Cluster Storage Utilization Options
- Site Mapping
- Monitoring Console for Indexer Cluster Environment
Topic 5 – Forwarder Management
- Indexer Discovery
- Optional Indexer Discovery Configurations
- Volume-Based Forwarder Load Balancing
Topic 6 – Search Head Cluster
- Splunk Search Head Cluster Overview
- Search Head Cluster Configuration
Topic 7 – Search Head Cluster Management and Administration
- Search Head Cluster Deployer
- Captaincy Transfer
- Search Head Member Addition and Decommissioning
- Monitoring Console for Search Head Cluster
Topic 8 – KV Store Collection and Lookup Management
- KV Store Collection in Splunk Clusters
- KV Store Monitoring with Monitoring Console
Topic 9 – SmartStore Implementation
- SmartStore architecture overview
- Deploy and manage SmartStore
