How to Use Splunk Remote Work Insights (RWI) to Secure Your Organization in 2023

In Security Tips for Work From Home (WFH) Life, we explored guidelines on how to efficiently and safely set up your work-from-home environments. Looking past the individual worker, companies are now tasked with providing a productive and secure remote work environment for their colleagues. 

How can organizations achieve this if they’re not already there yet? Here, we’ll show you how to use Splunk to monitor the safety and performance of your remote workforce.

What is Splunk Remote Work Insights?

In light of COVID-19, Splunk has released the Remote Work Insights (RWI) Application. This free-to-download application contains reports and dashboards that provide insight into the critical applications your organization is using to keep the business running. Along with application management, the RWI solution gives immediate insight into business performance and network security. As we get through this pandemic and beyond, the Splunk Remote Work Insights solution will help your business monitor the success and safety of its remote workforce.

This Splunk application can be added to Splunk to increase your security posture and provide critical insight into how your applications are being used, who is using them, and from what locations. It’s also mobile-friendly so you never miss an alert.

How Splunk Remote Insights Work

When you open up the RWI application, you’ll see the Executive dashboard view. This dashboard is an aggregate summary view of all dashboards within the application. The major purpose of this dashboard is to provide the CTO/CIO or a data center of critical insights into remote business operations. RWI gives visibility into your company’s critical applications and how they are performing and being used.

New call-to-action

Remote Work Insights Dashboards

Executive Dashboard

Use this dashboard to get a bird’s eye-view of how applications are performing across your organization. The metrics displayed on this dashboard include:

  • VPN Sessions
  • Zoom Meetings In Progress
  • Most Popular Applications on the Network
  • Geographic Locations of Logins

    Figure 1 - Splunk Remote Work Insights Executive Dashboard
    Figure 1 – RWI Executive Dashboard


Use this dashboard to monitor how securely your team is able to connect to different applications accessible through your VPN.

VPN Login Activities dashboard shows where your colleagues are logging in from, the success/failure rate for these logins, and the top login failure reasons. This dashboard is a one-stop shop to audit your VPN activities. The data shown here is from GlobalProtect, but any VPN logs can be integrated into these dashboards.

The Global Protect VPN Login Activities dashboard is key for insights into VPN activities of your remote colleagues. In this example, you have a workforce that’s fully based in the U.S. Now, check out that top panel… there are some workers accessing the VPN client from China, if this is unexpected, you may have a breach on your hands.

Figure 2 - Global Protect VPN Login Activities

Figure 2 – Global Protect VPN Login Activities

The metrics displayed on this dashboard include:

  • Geographic Locations of Logins
  • Failure Rate of Connections (over time)

Authentication Ops

  • Authentication of Login Attempt Activity
  • Failures of Legitimate Login Attempt Activity
  • Infrastructure Stress and Failure

Zoom Ops

The Zoom Ops dashboards show an aggregate view of your organization’s Zoom metrics. Looking at this dashboard, you’ll gain visibility into historical metrics and real-time information on active Zoom meetings. You can even see what devices the meetings are being accessed from, the types of meetings being conducted, and metrics surrounding the length of the meetings.

Figure 3 - Zoom Ops Dashboard

Figure 3 – Zoom Ops Dashboard

  • Zoom Adoption and Utilization
  • Number of Active Meetings
  • Number of Participants in Meetings
  • Length of Meetings

Protect Your Team From External Threats

The external threats facing organizations are greater than ever. With the shift to a remote workforce, it is crucial for businesses to have these insights into their day-to-day operations to protect the safety of their organization and colleagues. 

Interested in learning more about the Splunk Remote Work Insights solution or looking to implement the application? You don’t have to master it by yourself in order to get the most value out of it. Small, day-to-day optimizations of your Splunk environment can make all the difference in how you understand and use the data to manage all the work on your plate.

Cue Atlas Assessment: a customized report to show you where your Splunk environment is excelling and opportunities for improvement. Once you download the app, you’ll get your report in just 30 minutes.

The external threats facing organizations are greater than ever. With the shift to a remote workforce, it is crucial for businesses to have these insights into their day-to-day operations to protect the safety of their organization and colleagues. Paired with all applications your organization uses today, the Splunk Remote Work Insights Application can dramatically increase your organization’s visibility into application performance. Interested in learning more about the Splunk Remote Work Insights solution or looking to implement the application? Contact our Kinney Group team of experts below.

New call-to-action

Preparing for Splunk Certifications

preparing for splunk certifications simplified icon diagram

When it comes to preparing for Splunk Certification exams, there are two questions I see in the Splunk community this post will address:

  1. “I’m going to take a Splunk certification test. How should I study?”
  2. “What is the ‘secret’ to passing the cert exams?”

In the post, we’ll advise studying techniques and provide the “secret” for passing Splunk Certifications… and, along the way, you’ll get better at using Splunk.

Types of Splunk Certifications

Splunk offers 11 different certifications. Each one has its own set of skills that are tested for mastery in order to complete the certification. Below is a chart of each certification along with a link to it and the set of skills required to earn it.

Certification Certified Skills
Splunk Core Certified User Searching

Using lookups and fields

Creating alerts

Creating reports 

Creating dashboards

Splunk Core Certified Power User Understanding SPL commands

Creating knowledge objects

Creating workflow actions

Creating data models

Using field aliases

Using calculated fields

Using macros

Normalizing data

Splunk Core Certified Advanced Power User Creating complex searches 

Creating advanced reports

Implementing advanced knowledge object use cases

Understanding best practices for dashboard building

Splunk Cloud Certified Admin Monitoring Splunk Cloud 

Configuriing data inputs 

Configuring forwarders

Managing user accounts

Splunk Enterprise Certified Admin Understanding license management

Understanding indexers 

Understanding search heads Configuring and monitoring data ingests

Splunk Enterprise Certified Architect Understanding deployments

Managing a distributed deployment with indexer and search head clustering

Splunk Core Certified Consultant Understanding Splunk installations

Understanding Splunk architectures

Splunk Certified Developer Using the Splunk Web Framework to build apps

Using drilldowns 

Using advanced behaviors and visualizations

Creating and packaging apps and REST endpoints

Splunk Enterprise Security Certified Admin Managing Splunk Enterprise Security environment

Understanding event processing deployment requirements

Understanding technology add-ons 

Using risk analysis setting

Learning threat and protocol intelligence and customizations

Splunk IT Service Intelligence Certified Admin Installing Splunk IT Service Intelligence (ITSI)

Learning architecture, deployment planning, design and implementation and developing glass tables and deep dives

Splunk SOAR Certified Automation Developer Installing SOAR servers

Planning, designing, creating and debugging basic playbooks

Understanding complex SOAR solution development and integration 

Understanding custom coding and REST API

Step 1: Determine Splunk Certification Course Prerequisites

First, review the requirements for the certification. Namely, do you have to take any Splunk Education courses? I recommend the education courses for all certifications, but I understand if experienced Splunkers want to focus their education budgets on new topics or advanced classes.

Head to Splunk’s Training and Certification Page and select Certification Tracks on the left menu. The details for each certification list if the classes are required or strongly recommended (coursework will increase understanding of the concepts and make a pass more likely).

For example, select Splunk Enterprise Certified Admin to open the details and then select the top link. In the description, it states: “The prerequisite courses listed below are highly recommended, but not required for candidates to register for the certification exam.” Ergo, you do not have to take the classes (though you probably should).  

The Splunk Enterprise Certified Architect lists that the prerequisite courses through the Data and System Admin courses are not required. This means the only courses required for Certified Architect are: Troubleshooting Splunk Enterprise, Splunk Enterprise Cluster Administration, Architecting Splunk Enterprise Deployments, and the Splunk Enterprise Practical Lab.

Step 2: Determine Required Splunk Certifications

The same website, Splunk’s Training and Certification Page will also list any certification requirements for taking the certification you wish. For example, to obtain Splunk Enterprise Certified Architect, you must be a current Splunk Enterprise Certified Admin and a current Splunk Core Certified Power User.

To find which certifications are prerequisites for the cert you wish to take, on Splunk’s Training and Certification Page, click on Certification Track and then navigate to the particular certification you want to review.

New call-to-action

Step 3: Review What Topics the Exams Cover

One of the most common questions I see and hear is, “What is on the Test?” Fortunately, Splunk publishes an exam blueprint for each of its certification tests. Splunk’s Training site lists these blueprints in the Splunk Certification Exams Study Guide, along with sample questions for most of the tests.

Let’s investigate the Splunk Core Certified Power User:

Splunk’s Test Blueprint states that this is a 57-minute, 65-question assessment evaluating field aliases, calculated fields, creating tags, event types, macros, creating workflow actions, data models, and CIM. Whew, so it spells out the main topics and explains them in more detail before giving out the critical information: exactly what topics are on the exam and the percentage of those topics on the typical exam.

We learn from the document that 5% of the exam deals with the topic “Using Transforming Commands for Visualizations” and further shows two elements: 

The topic “Filtering and Formatting Results” makes up 10% and has these elements:

  • Using the eval command.
  • Using search and where commands to filter results.
  • Using the fillnull command.

The exam continues by listing out the ten topics of the exam and their elements. If a candidate is going to pass this exam, they should be knowledgeable on the topics listed. Bonus: if the candidate is good with these topics, they likely can perform the job as a Splunk Power User/Knowledge Manager.

Step 4: Review Material, Focusing on Unfamiliar Topics

In Step 3, we found what topics are on the different exams. Now comes the big question: how do I prepare for the exams?

  1. Gather your study material: 

If you took the Splunk Education Classes, get the class docs. Those are great at taking cumbersome topics and presenting them in an accessible method.

Splunk Docs has exhaustive details on the variety of exam topics.

  1. Practice on Splunk Instance(s):

We can read until we’re bleary-eyed, and that may be enough for you, but I find people learn better using a combination of reading and practice. If you have a laptop/desktop (windows, Linux, or Mac), then you can download Splunk—for free—install it on your system, and use that for practice. The free install works great for User, Power User, Admin, and Advanced Power User. For ITSI or ES, the best approach is to use a dev instance (if you are lucky enough to have access to one) or the Free Trials from Splunk Cloud. Other exams work best in a private cloud or container system (after all, it’s hard to learn how to use a cluster if you don’t have a cluster). 

Back to our example for Splunk Core Power User: 

Grab the Fundamentals 1 and Fundamentals 2 course material, have a Splunk instance installed and open a web browser. Then, go through the exam blueprint one topic at a time. In this example, we’ll look at “Describe, create, and use field aliases.” The Fundamentals 2 course material explains what a field alias is and provides examples of its use. You can also supplement that material with the Splunk Knowledge Manager Manual section on Field Aliases. Run through creating field aliases in your Splunk instance until you have the topic down.

Then you can move on to the next section, find the relevant course material/documentation, and practice.

Should you use Splunk certification exam dumps?

I need to address a question that gets asked far too often…

Q: “Where can I find Splunk exam dumps?”

A: “Don’t do that.” (though sometimes the language is much more colorful)

Q: “Why not?”

Answer 1: Splunk Certification strictly prohibits using exam dumps, and their use is grounds for being banned from taking Splunk certifications. That would suck if Splunk is the main focus of your career.

Answer 2: The goal of having Splunk certifications is to prove your ability to use the product, not your ability to memorize test questions. If you tell an employer that you have the Power User Cert, it comes with a promise that you have the skills to do the role of a power user.

The Splunk Certification Secret

Finally, the “secret” method for passing Splunk certs: Find the topics and study them. Sometimes the best secrets are the obvious ones.

Good luck earning your Splunk certification.

New call-to-action

Reducing Costs with Splunk

As of the writing of this post, we are arguably in turbulent times. Publicly traded companies have recently entered a bear market, crypto currencies are down 70% (or more) from recent highs, and inflation is measured at a 40-year high. Leaders of companies big and small are rightfully concerned that the US and global economies are entering into a recession.

In preparation for a potential economic downturn, most organizations are looking internally to determine where costs can be reduced, what platforms are enablers for weathering an economic storm, and what should be cut.

Since 2013, our team has helped hundreds of commercial and public sector organizations with their implementation of Splunk, both on-prem and in the cloud. From many customers, we hear a recurring refrain of “Splunk is expensive.”

My first reaction to this comment is always “Splunk is expensive? Relative to what?”

Before Splunk, getting real-time analytics from disparate critical systems to address security, operations, and observability was really, really tough. Regardless of good times or bad, all organizations must be vigilant on security and optimal application performance — this is the new reality of a software-driven world. The ability to harness insights from “digital exhaust” produced by logs and machine data is invaluable in today’s modern, software-driven world. Splunk remains the best platform of its kind for gaining real-time intelligence from machine data organizations that have chosen Splunk have chosen wisely.

I understand the “Splunk is expensive” observation. If organizations are not getting enough tangible returns on their Splunk investments, then Splunk is expensive, regardless of how good the Splunk technology is. For that matter, any enterprise software or SaaS offering that does not provide measurable mission, financial, or human returns on investment should justifiably be viewed as “expensive.”

New call-to-action

Optimize Splunk, and Turn It Into a Cost Reducer

We at Kinney Group view “reducing costs with Splunk” through two lenses:

  1. How can we reduce the costs associated with deploying, operating, and sustaining investments in Splunk technologies?
  2. How can we harness the power of Splunk to be a cost-reduction engine?

In 2021, our organization released Atlas — the Creator Empowerment Platform for Splunk. Purpose-built from the ground up to help customers in their Splunk journeys, Atlas accomplishes the two views of cost reduction referenced above.

Addressing lens #1 referenced above, we suggest pursuing a “1-2 punch” using the Atlas platform.

First, diagnose the health of a Splunk environment via the Atlas Assessment application, available free on Splunkbase. Using Atlas Assessment, customers can get visibility into areas of cost reduction and optimization for Splunk technologies, whether on-prem or in the cloud. Remarkably, Atlas Assessment returns actionable insights in less than 30 minutes.

The second punch is using the Atlas platform to address the identified areas of improvement that have been illuminated by the Atlas Assessment. Not sure if Atlas can help? We offer a full, 30-day trial of the Atlas platform absolutely free. Our experience is that Atlas Assessment, combined with the Atlas platform, provides tangible optimization and cost-reduction results for any Splunk implementation. And you can get started without spending a single dollar.

More specifically, customers find that Atlas reduces Splunk operating costs in the following manners:

  • License optimization: Whether the license is based on data ingest or workload, Atlas specifically identifies how any Splunk Enterprise or Splunk Cloud license can be optimized for maximum ROI.
  • Operational optimization: Atlas streamlines the daily operation and sustainment of Splunk implementations. These capabilities provide direct labor savings, while at the same time freeing valued personnel to spend more time creating analytics value from Splunk.
  • UX and adoption optimization: Splunk admins and users are the “creators” that drive organizational value from Splunk. Atlas helps drive adoption by making the use of Splunk much easier. More people using Splunk means more value for your organization.

Splunk as a Powerful Cost Reduction Engine

All systems and applications produce log data. And Splunk is the best platform on the planet for turning log data into insights for security and observability. Since we began using Splunk in 2013, we consistently find that Splunk can help organizations reduce the sprawl of siloed, single-use tools and monitors.

As organizations look to reduce costs, we encourage them to take a hard look at their entire landscape of software tools. If Splunk can deliver the outcome, why does an organization need another tool to deliver the same results?

When we optimize a Splunk environment using Atlas, we magically create additional Splunk capacity with existing license investments. This newfound added capacity can then be leveraged to help any organization reduce their footprint (and costs) associated with the sprawl of single-use tooling.

Reducing Costs Now for Weathering a Potential Storm

With Atlas and Atlas Assessment, we can deliver tangible cost savings immediately, and do so through the two lenses referenced above. Now is the time to prepare for the potential of an economic storm brought on by a recession. Atlas can help get you prepared.

Is Splunk expensive? Yes — it sure can be if it isn’t optimized and delivering tangible returns for the organization.

Is Splunk expensive when fully optimized with Atlas? NO! When running correctly, Splunk is the most powerful platform of its kind in the industry. Splunk customers have chosen wisely. We argue that once customers get Splunk optimized, it can be one of the most powerful cost-reduction weapons any organization can have.

Ready to take your next step?

Download the FREE Atlas Assessment application from Splunkbase for actionable (and no-cost) discoveries in your environment, or get started with a free 30-day trial of the Atlas Platform. Have questions? We’d love to answer them! Click here to schedule an introductory discover call.

New call-to-action

Recruiting for Splunk Expertise- What Do I Need?

Splunk Recruiting - What do I need? Kinney Group Blog Post

Recruiting for Splunk Expertise – What Do I Need?

As a Talent Acquisition professional for the past 20 years, I’ve seen that the requirements of a role and the day to day responsibilities of that role are often mismatched. How often have you seen an Office Assistant role that requires a Bachelor’s degree or an entry-level Customer Service role that requires 3+ years of customer service responsibility? In many cases, the best talent may not apply to the opportunity because the ‘requirements’ are not met by the best candidate. In addition to roles like Sales or Customer Service that exist at almost every organization, the phenomenon is common among highly-skilled technical roles also – like Splunk expertise.

A quick Splunk job search on returns over 7,500 active postings. As I reviewed some of these listings, several require an Architect level candidate, including required certifications. However, the duties listed are more in line with a Splunk PowerUser or Splunk Administrator candidate, which requires a significantly different skillset than a Splunk Architect. In today’s tight labor market and with Splunk skills in high demand, over-hiring can be a costly mistake for your organization both in the cost of the role remaining open and the competitive salary that will need to be offered to secure highly-skilled talent.

Splunk Level Analogy

When determining the level of candidate and actual requirements of your next Splunk listing, think about it in terms of plumbing. Would you call a Certified Plumber if you wanted to change the fixtures in your bathroom or if the toilet was backed up? According to, in their August 2019 article, there are five times you should call a plumber: (1) rapid water supply line leak, (2) no water available, (3) rapid drainage line leak, (4) sewer line leak, and (5) a natural gas leak in your water heater. Personally, I’d probably add a couple more to this list because I’m not a fan of ‘dirty jobs,’ but most of the time, I’d agree. I can manage an overflowing toilet, replacing a washer, sealing a leaky pipe, or changing the shower head. Additionally, if I don’t have time or interest in these projects, I can hire a general handyman to take these tasks off my hands.

There are times that you need a high-end Splunk Architect or Consultant (think Certified Plumber) in your environment. However, there are many day to day tasks that you simply need a PowerUser or Admin-level candidate (think DIY or handyman) to fulfill. Splunk is designed to be user-friendly and allow teams to ingest and use their data in meaningful ways without the assistance of a Splunk Architect. Hiring the right level of candidate is a more cost-effective solution and may contribute to increased retention as the candidate can grow within your organization as they grow their Splunk skillset.


New call-to-action


What Splunker do I need?

PowerUsers are able to build advanced searches and utilize the core features in Splunk to create dashboards and reports. They are skilled in SPL commands and how to levy them for efficient Splunk searching. Splunk Admins understand that better searches and slimmed dashboards can greatly improve performance. They onboard new data sources, install and configure Apps/Add-ons while configuring and optimizing the Splunk components, ensuring high availability and high performance. Additionally, they configure alerts to proactively address issues with Splunk servers, highlight key data points, and further expand the Splunk use case(s).

When you truly need an Architect or Consultant, you can hire the experts from Professional Services Partners like Kinney Group. These projects might include implementation of Splunk Premium Apps like: Enterprise Security, ITSI, and UBA, new Splunk installations, migrations, or architectural scaling and optimization, and other more advanced project-based tasks.

Kinney Group’s Expertise on Staff team is available to help determine what level of candidate you need, as well as provide contract staff to fill the gaps in your hiring cycle. We’ve been recruiting and training Splunk talent for the past 5 years. We have built an impressive team of Splunk professionals who work with a bias-to-action providing a customer-centric approach on mission-critical analytics and automation projects. We offer Splunk Training, Managed Splunk Services, Expertise on Demand (Splunk support team), Expertise on Staff (Admin/User), and Professional Services (Architect/Consultant).

Expertise on Staff

Much more than staff augmentation, Kinney Group offers true Splunk expertise. Unless a staffing firm has both expertise and experience specific to Splunk, the best they can do is provide a candidate that has Splunk on their resume.

Since 2013, Kinney Group has delivered 500+ Splunk service engagements to commercial and public sector organizations, big and small. Kinney Group has developed applications on the Splunk platform and helped customers “turn data into doing™” with the Splunk platform. Kinney Group knows how to acquire Splunk talent, validate their expertise, and enhance their Splunk skills with specialized training and support. Traditional staffing doesn’t even come close.

Kinney Group’s Expertise on Staff (EOS) for Splunk service provides organizations with a compelling option for adding Splunk expertise to their teams. Whether an organization is expanding its Splunk team or looking to replace Splunk expertise that has departed, the EOS for Splunk service can provide immediate results.

Expertise on Staff for Splunk powered by Kinney Group

New call-to-action