Preparing for Splunk Certifications

When it comes to preparing for Splunk Certification exams, there are two questions I see in the Splunk community this post will address:

  1. “I’m going to take a Splunk certification test. How should I study?”
  2. “What is the ‘secret’ to passing the cert exams?”

In the post, we’ll advise studying techniques and provide the “secret” for passing Splunk Certifications… and, along the way, you’ll get better at using Splunk.

Types of Splunk Certifications

Splunk offers 11 different certifications. Each one has its own set of skills that are tested for mastery in order to complete the certification. Below is a chart of each certification along with a link to it and the set of skills required to earn it.

Certification Certified Skills
Splunk Core Certified User Searching

Using lookups and fields

Creating alerts

Creating reports 

Creating dashboards

Splunk Core Certified Power User Understanding SPL commands

Creating knowledge objects

Creating workflow actions

Creating data models

Using field aliases

Using calculated fields

Using macros

Normalizing data

Splunk Core Certified Advanced Power User Creating complex searches 

Creating advanced reports

Implementing advanced knowledge object use cases

Understanding best practices for dashboard building

Splunk Cloud Certified Admin Monitoring Splunk Cloud 

Configuriing data inputs 

Configuring forwarders

Managing user accounts

Splunk Enterprise Certified Admin Understanding license management

Understanding indexers 

Understanding search heads Configuring and monitoring data ingests

Splunk Enterprise Certified Architect Understanding deployments

Managing a distributed deployment with indexer and search head clustering

Splunk Core Certified Consultant Understanding Splunk installations

Understanding Splunk architectures

Splunk Certified Developer Using the Splunk Web Framework to build apps

Using drilldowns 

Using advanced behaviors and visualizations

Creating and packaging apps and REST endpoints

Splunk Enterprise Security Certified Admin Managing Splunk Enterprise Security environment

Understanding event processing deployment requirements

Understanding technology add-ons 

Using risk analysis setting

Learning threat and protocol intelligence and customizations

Splunk IT Service Intelligence Certified Admin Installing Splunk IT Service Intelligence (ITSI)

Learning architecture, deployment planning, design and implementation and developing glass tables and deep dives

Splunk SOAR Certified Automation Developer Installing SOAR servers

Planning, designing, creating and debugging basic playbooks

Understanding complex SOAR solution development and integration 

Understanding custom coding and REST API

Step 1: Determine Splunk Certification Course Prerequisites

First, review the requirements for the certification. Namely, do you have to take any Splunk Education courses? I recommend the education courses for all certifications, but I understand if experienced Splunkers want to focus their education budgets on new topics or advanced classes.

Head to Splunk’s Training and Certification Page and select Certification Tracks on the left menu. The details for each certification list if the classes are required or strongly recommended (coursework will increase understanding of the concepts and make a pass more likely).

For example, select Splunk Enterprise Certified Admin to open the details and then select the top link. In the description, it states: “The prerequisite courses listed below are highly recommended, but not required for candidates to register for the certification exam.” Ergo, you do not have to take the classes (though you probably should).  

The Splunk Enterprise Certified Architect lists that the prerequisite courses through the Data and System Admin courses are not required. This means the only courses required for Certified Architect are: Troubleshooting Splunk Enterprise, Splunk Enterprise Cluster Administration, Architecting Splunk Enterprise Deployments, and the Splunk Enterprise Practical Lab.

Step 2: Determine Required Splunk Certifications

The same website, Splunk’s Training and Certification Page will also list any certification requirements for taking the certification you wish. For example, to obtain Splunk Enterprise Certified Architect, you must be a current Splunk Enterprise Certified Admin and a current Splunk Core Certified Power User.

To find which certifications are prerequisites for the cert you wish to take, on Splunk’s Training and Certification Page, click on Certification Track and then navigate to the particular certification you want to review.

New call-to-action

Step 3: Review What Topics the Exams Cover

One of the most common questions I see and hear is, “What is on the Test?” Fortunately, Splunk publishes an exam blueprint for each of its certification tests. Splunk’s Training site lists these blueprints in the Splunk Certification Exams Study Guide, along with sample questions for most of the tests.

Let’s investigate the Splunk Core Certified Power User:

Splunk’s Test Blueprint states that this is a 57-minute, 65-question assessment evaluating field aliases, calculated fields, creating tags, event types, macros, creating workflow actions, data models, and CIM. Whew, so it spells out the main topics and explains them in more detail before giving out the critical information: exactly what topics are on the exam and the percentage of those topics on the typical exam.

We learn from the document that 5% of the exam deals with the topic “Using Transforming Commands for Visualizations” and further shows two elements: 

The topic “Filtering and Formatting Results” makes up 10% and has these elements:

  • Using the eval command.
  • Using search and where commands to filter results.
  • Using the fillnull command.

The exam continues by listing out the ten topics of the exam and their elements. If a candidate is going to pass this exam, they should be knowledgeable on the topics listed. Bonus: if the candidate is good with these topics, they likely can perform the job as a Splunk Power User/Knowledge Manager.

Step 4: Review Material, Focusing on Unfamiliar Topics

In Step 3, we found what topics are on the different exams. Now comes the big question: how do I prepare for the exams?

  1. Gather your study material: 

If you took the Splunk Education Classes, get the class docs. Those are great at taking cumbersome topics and presenting them in an accessible method.

Splunk Docs has exhaustive details on the variety of exam topics.

  1. Practice on Splunk Instance(s):

We can read until we’re bleary-eyed, and that may be enough for you, but I find people learn better using a combination of reading and practice. If you have a laptop/desktop (windows, Linux, or Mac), then you can download Splunk—for free—install it on your system, and use that for practice. The free install works great for User, Power User, Admin, and Advanced Power User. For ITSI or ES, the best approach is to use a dev instance (if you are lucky enough to have access to one) or the Free Trials from Splunk Cloud. Other exams work best in a private cloud or container system (after all, it’s hard to learn how to use a cluster if you don’t have a cluster). 

Back to our example for Splunk Core Power User: 

Grab the Fundamentals 1 and Fundamentals 2 course material, have a Splunk instance installed and open a web browser. Then, go through the exam blueprint one topic at a time. In this example, we’ll look at “Describe, create, and use field aliases.” The Fundamentals 2 course material explains what a field alias is and provides examples of its use. You can also supplement that material with the Splunk Knowledge Manager Manual section on Field Aliases. Run through creating field aliases in your Splunk instance until you have the topic down.

Then you can move on to the next section, find the relevant course material/documentation, and practice.

Should you use Splunk certification exam dumps?

I need to address a question that gets asked far too often…

Q: “Where can I find Splunk exam dumps?”

A: “Don’t do that.” (though sometimes the language is much more colorful)

Q: “Why not?”

Answer 1: Splunk Certification strictly prohibits using exam dumps, and their use is grounds for being banned from taking Splunk certifications. That would suck if Splunk is the main focus of your career.

Answer 2: The goal of having Splunk certifications is to prove your ability to use the product, not your ability to memorize test questions. If you tell an employer that you have the Power User Cert, it comes with a promise that you have the skills to do the role of a power user.

The Splunk Certification Secret

Finally, the “secret” method for passing Splunk certs: Find the topics and study them. Sometimes the best secrets are the obvious ones.

Good luck earning your Splunk certification.

New call-to-action

How to Use Splunk Field Extractions and Rex and Erex Commands

Getting data into Splunk is hard enough. After uploading a CSV, monitoring a log file, or forwarding data for indexing, more often than not, the data does not look the way you’d expect it to. The large blocks of unseparated data that are produced when it’s ingested are hard to read and unable to be searched. If the data is not already separated into events, doing so may seem like an uphill battle. 

You may be wondering how to parse and perform advanced search commands using fields. This is where field extraction comes in handy.

What is a field extraction?

A field extraction enables you to extract additional fields out of your data sources. This enables you to gain more insights from your data so you and other stakeholders can use it to make informed decisions about the business.

Field Extraction via the GUI

Field extractions in Splunk are the function and result of extracting fields from your event data for both default and custom fields. Field extractions allow you to organize your data in a way that lets you see the results you’re looking for.

How to Perform a Field Extraction [Example]

Figure 1 - GUI in Splunk
Figure 1 – Extracting searchable fields via Splunk Web


Pictured above is one of Splunk’s solutions to extracting searchable fields out of your data via Splunk Web. 

Step 1: Within the Search and Reporting App, users will see this button available upon search. After clicking, a sample of the file is presented for you to define from events the data. The image below demonstrates this feature of Splunk’s Field Extractor in the GUI, after selecting an event from the sample data.


Figure 2 - Splunk’s Field Extractor in the GUI
Figure 2 – Sample file in Splunk’s Field Extractor in the GUI

Step 2: From here, you have two options: use a regular expression to separate patterns in your event data into fields, and the ability to separate fields by delimiter. Delimiters are characters used to separate values such as commas, pipes, tabs, and colons.

Figure 3 - Regex delim in Splunk’s Field Extractor in the GUI
Figure 3 – Regular expressions vs delimiter in Splunk


Figure 4 - Delimiter in Splunk’s Field Extractor
Figure 4 – Delimiter in Splunk’s Field Extractor

Step 3: If you have selected a delimiter to separate your fields, Splunk will automatically create a tabular view in order to allow you to see what all events properly parsed would look like compared to its _raw data pictured above.

Step 4: You can choose to rename all fields parsed by the selected delimiter. After saving, you will be able to search upon these fields, perform mathematical operations, and advanced SPL commands.

New call-to-action

What’s Next? Rex and Erex Commands 

What are Rex and Erex Commands?

After extracting fields, you may find that some fields contain specific data you would like to manipulate, use for calculations, or display by themselves. You can use the Rex and Erex commands to do this.

What is the Rex command?

The Rex command can be used to create a new field out of any existing field which you have previously defined. This new field will appear in the field sidebar on the Search and Reporting app to be utilized like any other extracted field.

Rex Command Syntax

| rex [field=<field>] (<regex-expression>)

In order to define what your new field name will be called in Splunk, use the following syntax:

| rex [field=<field>] (?<field_name>”regex”)

What is the Erex Command?

The erex command allows users to generate regular expressions. Unlike Splunk’s rex and regex commands, erex does not require knowledge of Regex, and instead allows a user to define examples and counter-examples of the data that needs to be matched.

Erex Command Syntax

 | erex <field_name> examples="<example, <example>" counterexamples="<example,


Erex Command Syntax Example

 | erex Port_Used examples=”Port 8000, Port 3182”

Start Using Field Extractions, Rex, and Erex Commands

A ton of incredible work can be done with your data in Splunk including extracting and manipulating fields in your data. But, you don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate. 

Cue Expertise on Demand, a service that can help with those Splunk issues and improvements to scale. EOD is designed to answer your team’s daily questions and breakthrough stubborn roadblocks. Book a free consultation today, our team of experts is ready to help.

New call-to-action