{"id":4405,"date":"2025-08-09T10:43:14","date_gmt":"2025-08-09T10:43:14","guid":{"rendered":"https:\/\/uplatz.com\/blog\/?p=4405"},"modified":"2025-08-09T10:43:14","modified_gmt":"2025-08-09T10:43:14","slug":"splunk-pocket-book","status":"publish","type":"post","link":"https:\/\/uplatz.com\/blog\/splunk-pocket-book\/","title":{"rendered":"Splunk Pocket Book"},"content":{"rendered":"<p><!-- Splunk Pocket Book \u2014 Uplatz (50 Cards: 30 deep-dive + 20 Q&A, Wide Layout, Readable Code, Scoped Styles) --><\/p>\n<div style=\"margin:16px 0;\">\n<style>\n    .wp-splunk-pb { font-family: Arial, sans-serif; max-width: 1320px; margin:0 auto; }\n    .wp-splunk-pb .heading{\n      background: linear-gradient(135deg, #fff7ed, #e0f2fe); \/* light orange -> light blue *\/\n      color:#0f172a; padding:22px 24px; border-radius:14px;\n      text-align:center; margin-bottom:18px; box-shadow:0 8px 20px rgba(0,0,0,.08);\n      border:1px solid #cbd5e1;\n    }\n    .wp-splunk-pb .heading h2{ margin:0; font-size:2.1rem; letter-spacing:.2px; }\n    .wp-splunk-pb .heading p{ margin:6px 0 0; font-size:1.02rem; opacity:.9; }<\/p>\n<p>    \/* Wide, dense grid *\/\n    .wp-splunk-pb .grid{\n      display:grid; gap:14px;\n      grid-template-columns: repeat(auto-fill, minmax(400px, 1fr));\n    }\n    @media (min-width:1200px){\n      .wp-splunk-pb .grid{ grid-template-columns: repeat(3, 1fr); }\n    }<\/p>\n<p>    .wp-splunk-pb .section-title{\n      grid-column:1\/-1; background:#f8fafc; border-left:8px solid #f97316; \/* Splunk-ish orange *\/\n      padding:12px 16px; border-radius:10px; font-weight:700; color:#0f172a; font-size:1.08rem;\n      box-shadow:0 2px 8px rgba(0,0,0,.05); border:1px solid #e2e8f0;\n    }\n    .wp-splunk-pb .card{\n      background:#ffffff; border-left:6px solid #0ea5e9;\n      padding:18px; border-radius:12px;\n      box-shadow:0 6px 14px rgba(0,0,0,.06);\n      transition:transform .12s ease, box-shadow .12s ease;\n      border:1px solid #e5e7eb;\n    }\n    .wp-splunk-pb .card:hover{ transform: translateY(-3px); box-shadow:0 10px 22px rgba(0,0,0,.08); }\n    .wp-splunk-pb .card h3{ margin:0 0 10px; font-size:1.12rem; color:#0f172a; }\n    .wp-splunk-pb .card p{ margin:0; font-size:.96rem; color:#334155; line-height:1.62; }<\/p>\n<p>    \/* Color helpers *\/\n    .bg-blue { border-left-color:#0ea5e9 !important; background:#f0f9ff !important; }\n    .bg-green{ border-left-color:#10b981 !important; background:#f0fdf4 !important; }\n    .bg-amber{ border-left-color:#f59e0b !important; background:#fffbeb !important; }\n    .bg-violet{ border-left-color:#8b5cf6 !important; background:#f5f3ff !important; }\n    .bg-rose{ border-left-color:#ef4444 !important; background:#fff1f2 !important; }\n    .bg-cyan{ border-left-color:#06b6d4 !important; background:#ecfeff !important; }\n    .bg-lime{ border-left-color:#16a34a !important; background:#f0fdf4 !important; }\n    .bg-orange{ border-left-color:#f97316 !important; background:#fff7ed !important; }\n    .bg-indigo{ border-left-color:#6366f1 !important; background:#eef2ff !important; }\n    .bg-emerald{ border-left-color:#22c55e !important; background:#ecfdf5 !important; }\n    .bg-slate{ border-left-color:#334155 !important; background:#f8fafc !important; }<\/p>\n<p>    \/* Utilities *\/\n    .tight ul{ margin:0; padding-left:18px; }\n    .tight li{ margin:4px 0; }\n    .mono{ font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace; }\n    .kbd{ background:#e5e7eb; border:1px solid #cbd5e1; padding:1px 6px; border-radius:6px; font-family:ui-monospace,monospace; font-size:.88em; }\n    .muted{ color:#64748b; }\n    .wp-splunk-pb code{ background:#f1f5f9; padding:0 4px; border-radius:4px; border:1px solid #e2e8f0; }\n    .wp-splunk-pb pre{\n      background:#f5f5f5; color:#111827; border:1px solid #e5e7eb;\n      padding:12px; border-radius:8px; overflow:auto; font-size:.92rem; line-height:1.55;\n    }\n    .q{font-weight:700;}\n    .qa p{ margin:8px 0; }\n    .qa b{ color:#0f172a; }\n  <\/style>\n<div class=\"wp-splunk-pb\">\n<div class=\"heading\">\n<h2>Splunk Pocket Book \u2014 Uplatz<\/h2>\n<p>50 cards total \u2022 Wide 3-column layout \u2022 Readable examples \u2022 Interview Q&amp;A included<\/p>\n<\/p><\/div>\n<div class=\"grid\">\n      <!-- =============== SECTION 1: SPLUNK CORE (1\u201310) =============== --><\/p>\n<div class=\"section-title\">Section 1 \u2014 Splunk Core Concepts<\/div>\n<div class=\"card bg-blue\">\n<h3>1) What is Splunk?<\/h3>\n<p>Splunk is a platform for searching, monitoring, and analyzing machine data (logs, metrics, events) at scale. It ingests data from forwarders, APIs, HEC, or files, indexes it for fast retrieval, and lets you query via SPL (Search Processing Language). Core pieces are indexers (store &#038; search), search heads (UI &#038; query federation), and forwarders (data shippers). Use cases include security analytics (SIEM), IT operations (ITOM), observability (APM\/logs\/metrics), and business analytics. Splunk Enterprise is self-managed; Splunk Cloud is managed. Data goes through parsing, indexing, and search pipelines with knowledge objects enriching context.<\/p>\n<pre><code class=\"mono\"># Example search (last 15m)\r\nindex=main sourcetype=nginx_access status&gt;=500 | stats count by status, uri<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>2) Splunk Architecture Overview<\/h3>\n<p>In distributed Splunk, forwarders send data to indexers; search heads coordinate searches across indexers and merge results. Deployer pushes app configs to search head cluster members; Cluster Master (Cluster Manager) manages indexer clustering, replication, and fixups. Decomposition: UF\/HF (forwarders) \u2192 Indexers (bucket storage) \u2192 Search Heads (SPL\/UI) \u2192 Deployment components (Deployer\/DS\/LM). Buckets move through hot \u2192 warm \u2192 cold \u2192 frozen; retention is governed per index. Plan network paths, load balancing, and security at ingress.<\/p>\n<pre><code class=\"mono\"># View peers from a search head (UI preferred)\r\n| rest \/services\/cluster\/master\/peers | table peer_name status<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>3) Indexes, Buckets &#038; Retention<\/h3>\n<p>An index is a logical store with its own retention, volume, and access controls. Each index consists of buckets (hot\/warm\/cold\/frozen). Hot = actively written; warm = searchable on disk; cold = older searchable data; frozen = deleted or archived to S3\/HDFS per policy. Sizing indexes involves EPS (events per second), average event size, compression, and retention days. Plan for tsidx disk, raw data, and replication factors.<\/p>\n<pre><code class=\"mono\"># indexes.conf snippet\r\n[web]\r\nhomePath   = $SPLUNK_DB\/web\/db\r\ncoldPath   = $SPLUNK_DB\/web\/colddb\r\nthawedPath = $SPLUNK_DB\/web\/thaweddb\r\nmaxTotalDataSizeMB = 500000<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>4) Universal vs Heavy Forwarder<\/h3>\n<p>Universal Forwarder (UF) is a lightweight agent that forwards data; it cannot parse\/transform beyond basic line-breaking\/timestamps. Heavy Forwarder (HF) is a full Splunk instance used when you need parsing, filtering, routing, or modular inputs at the edge (can run apps\/add-ons, apply <code>props\/transforms.conf<\/code>). Prefer UF for most sources; use HF for heavy manipulation or when sourcetypes must be corrected before indexing.<\/p>\n<pre><code class=\"mono\"># outputs.conf (UF\/HF)\r\n[tcpout]\r\ndefaultGroup = idx_group\r\n[tcpout:idx_group]\r\nserver = idx01:9997, idx02:9997<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>5) Data Onboarding Flow<\/h3>\n<p>1) Identify source (files, syslog, HEC, DB). 2) Assign sourcetype, host, and index. 3) Validate line breaking, timestamps, and character encoding. 4) Normalize fields via <code>props.conf<\/code> &amp; <code>transforms.conf<\/code>. 5) Apply CIM mappings and lookups. 6) Validate with sample searches, dashboards, and report acceleration. Proper sourcetyping is critical; it drives field extractions, tags, and knowledge reuse across apps (ES\/ITSI).<\/p>\n<pre><code class=\"mono\"># inputs.conf (UF)\r\n[monitor:\/\/\/var\/log\/nginx]\r\nsourcetype = nginx:access\r\nindex = web<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>6) Parsing Basics: props &#038; transforms<\/h3>\n<p><code>props.conf<\/code> defines line-breaking, timestamp extraction, and field extractions; <code>transforms.conf<\/code> performs routing, filtering, and field transforms using regex or external lookups. Placement matters: index-time rules must live on indexers\/HFs; search-time extractions can live on search heads.<\/p>\n<pre><code class=\"mono\"># props.conf\r\n[nginx:access]\r\nTIME_PREFIX = \\[\r\nTIME_FORMAT = %d\/%b\/%Y:%H:%M:%S %z\r\nMAX_TIMESTAMP_LOOKAHEAD = 32\r\nREPORT-extractions = nginx_fields\r\n\r\n# transforms.conf\r\n[nginx_fields]\r\nREGEX = ^(?P&lt;client&gt;\\S+) \\S+ \\S+ \\[(?P&lt;time&gt;[^\\]]+)\\] \"(?P&lt;method&gt;\\S+) (?P&lt;uri&gt;\\S+) \\S+\" (?P&lt;status&gt;\\d+)<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>7) Timestamp, Line Breaking &#038; Character Sets<\/h3>\n<p>Accurate timestamps ensure correct time-based searches and bucketing. Configure <code>TIME_PREFIX<\/code>, <code>TIME_FORMAT<\/code>, and <code>MAX_TIMESTAMP_LOOKAHEAD<\/code>. For multiline events (Java stack traces), use <code>SHOULD_LINEMERGE=false<\/code> with <code>LINE_BREAKER<\/code> OR event boundary logic. Specify <code>CHARSET<\/code> for encodings (e.g., UTF-16).<\/p>\n<pre><code class=\"mono\"># props.conf (multiline)\r\n[app:java]\r\nSHOULD_LINEMERGE = false\r\nLINE_BREAKER = ([\\r\\n]+)\\d{4}-\\d{2}-\\d{2}\\s<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>8) Knowledge Objects<\/h3>\n<p>Knowledge objects include field extractions, lookups, tags, event types, macros, data models, and saved searches. They add semantics at search time. Manage sharing (private, app, global) and permissions carefully. Use naming conventions and version control via apps for team collaboration and reliable deployments.<\/p>\n<pre><code class=\"mono\"># macro example (macros.conf)\r\n[http_5xx]\r\ndefinition = status&gt;=500 status&lt;600\r\niseval = 0<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>9) Role-Based Access Control<\/h3>\n<p>RBAC controls which indexes and knowledge objects users can access. Roles inherit capabilities and index list. Use least-privilege: separate search access (read on indexes) from admin capabilities. For multitenancy\/security, isolate PII into dedicated indexes and restrict via roles and index constraints.<\/p>\n<pre><code class=\"mono\"># authorize.conf (conceptual)\r\n[role_engineering]\r\nsrchIndexesAllowed = web;auth;infra\r\nsrchFilter = index=web OR index=infra<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-emerald\">\n<h3>10) Q&#038;A \u2014 \u201cWhy does sourcetype matter so much?\u201d<\/h3>\n<p><span class=\"q\">Answer:<\/span> Sourcetype determines line-breaking, timestamp rules, default field extractions, CIM mappings, and app knowledge (ES\/ITSI) that expect specific fields. A wrong sourcetype breaks parsing and makes searches unreliable, dashboards empty, and correlation rules ineffective. Always standardize sourcetypes and test with sample data before bulk onboarding.<\/p>\n<\/p><\/div>\n<p>      <!-- =============== SECTION 2: SPL (SEARCH PROCESSING LANGUAGE) (11\u201320) =============== --><\/p>\n<div class=\"section-title\">Section 2 \u2014 SPL Fundamentals &#038; Patterns<\/div>\n<div class=\"card bg-blue\">\n<h3>11) SPL Basics: Search, Filter, Pipe<\/h3>\n<p>SPL is a pipeline language: search (retrieve events) \u2192 filter\/transform \u2192 aggregate\/visualize. Use base searches to scope data (index\/sourcetype\/time). Then pipe commands like <code>stats<\/code>, <code>eval<\/code>, <code>rex<\/code>, <code>lookup<\/code>, and <code>timechart<\/code>. Keep early filters selective to reduce data volume and speed up the pipeline.<\/p>\n<pre><code class=\"mono\">index=web sourcetype=nginx:access status&gt;=400\r\n| eval is_error = status&gt;=500\r\n| stats count as hits, sum(is_error) as errors by uri\r\n| eval error_rate = round(errors\/hits*100,2)<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>12) Fields, eval &#038; where<\/h3>\n<p><code>fields<\/code> limits fields to speed later stages. <code>eval<\/code> creates\/transforms fields; <code>where<\/code> filters by expressions. Use <code>coalesce<\/code>, <code>if<\/code>, and <code>case<\/code> for flexible logic. Don\u2019t over-compute at event scope if a later aggregation can do it once.<\/p>\n<pre><code class=\"mono\">... | fields host, uri, status, bytes\r\n| eval mb = bytes\/1024\/1024\r\n| where status&gt;=500 AND mb &gt; 1<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>13) stats, eventstats, streamstats<\/h3>\n<p><code>stats<\/code> aggregates into new events (sum, count, avg). <code>eventstats<\/code> computes aggregates and appends them to each original event (useful for ratios). <code>streamstats<\/code> computes running stats over time windows. Choose the right one to avoid unnecessary event inflation.<\/p>\n<pre><code class=\"mono\">... | stats count as hits, avg(bytes) as avg_b by uri\r\n... | eventstats avg(bytes) as global_avg\r\n... | streamstats window=5 avg(bytes) as moving_avg<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>14) timechart &#038; bin<\/h3>\n<p><code>timechart<\/code> aggregates over _time buckets. Use <code>span=<\/code> to control bucketing and <code>bin<\/code> to pre-bucket for custom fields. Use <code>per_second<\/code> or <code>rate<\/code> techniques for normalized time series.<\/p>\n<pre><code class=\"mono\">index=web error=1\r\n| timechart span=5m count as errors<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>15) rex &#038; regex extraction<\/h3>\n<p><code>rex<\/code> extracts fields using regular expressions at search time. Use named capture groups, test regex in sample searches, and prefer search-time extractions for flexibility unless index-time is mandatory.<\/p>\n<pre><code class=\"mono\">... | rex field=_raw \"user=(?&lt;user&gt;\\w+)\\s+ip=(?&lt;ip&gt;[\\d\\.]+)\"<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>16) lookup, inputlookup &#038; outputlookup<\/h3>\n<p>Lookups enrich events with external data (CSVs, KV Store, external scripts). Use automatic lookups in <code>props.conf<\/code> for sourcetype-specific enrichment. <code>inputlookup<\/code> reads lookup tables directly; <code>outputlookup<\/code> writes to them (role-restricted).<\/p>\n<pre><code class=\"mono\">... | lookup geoip ip as client_ip OUTPUTNEW city country\r\n| stats count by country<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>17) join, append, appendcols<\/h3>\n<p>Joins are expensive; avoid them for large sets. Prefer <code>lookup<\/code>, <code>stats<\/code> with <code>by<\/code> keys, or summary indexes. <code>append<\/code> unions results; <code>appendcols<\/code> aligns rows by order (fragile). If you must join, pre-filter both sides and limit fields.<\/p>\n<pre><code class=\"mono\">index=a ... | fields id, x\r\n| join type=inner id [ search index=b ... | fields id, y ]<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>18) tstats &#038; Data Models<\/h3>\n<p><code>tstats<\/code> leverages accelerated data models for ultra-fast stats from tsidx files. You must build a data model and enable acceleration. Used heavily by ES &#038; ITSI for speed on big data. Great for rollups and known schemas.<\/p>\n<pre><code class=\"mono\">| tstats count where nodename=Authentication by _time span=5m Authentication.user<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>19) Summary Indexing &#038; Report Acceleration<\/h3>\n<p>Summary indexing stores scheduled search results into a summary index for faster reporting (e.g., hourly rollups). Report acceleration transparently accelerates certain reports. Choose summary indexes when you control schema and need reproducible aggregates with retention independent of raw data.<\/p>\n<pre><code class=\"mono\"># savedsearches.conf (concept)\r\naction.summary_index = 1\r\naction.summary_index._name = summaries<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-emerald\">\n<h3>20) Q&#038;A \u2014 \u201cWhen to use join vs lookup vs tstats?\u201d<\/h3>\n<p><span class=\"q\">Answer:<\/span> Use <b>lookup<\/b> for static\/dimension data keyed by a field. Use <b>tstats<\/b> over accelerated data models for high-speed aggregates across big data. Use <b>join<\/b> only for small, filtered sets when neither lookup nor tstats fits; otherwise it\u2019s slow and memory-hungry.<\/p>\n<\/p><\/div>\n<p>      <!-- =============== SECTION 3: ADMIN, INGEST, PERFORMANCE (21\u201330) =============== --><\/p>\n<div class=\"section-title\">Section 3 \u2014 Admin, Ingest, Performance &#038; Reliability<\/div>\n<div class=\"card bg-blue\">\n<h3>21) Indexer Clustering<\/h3>\n<p>Indexer clusters provide HA and scalability with replication (RF) and search factors (SF). The Cluster Manager coordinates peer indexers, bucket fixups, and rolling updates. Design RF\u22652, SF\u22652 for HA; consider site awareness for multi-DC. Monitor fixup queues and cluster health views to avoid search degradation.<\/p>\n<pre><code class=\"mono\"># server.conf (concept)\r\n[clustering]\r\nmode = manager\r\nreplication_factor = 3\r\nsearch_factor = 2<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>22) Search Head Clustering<\/h3>\n<p>SHC gives HA for the UI and search artifacts. A Deployer pushes apps to members; captain orchestrates scheduled searches. Keep captaincy stable; avoid manual app edits on members. Use KV Store replication and artifact replication carefully; version your apps.<\/p>\n<pre><code class=\"mono\"># shcluster-config (splunk init)\r\nsplunk init shcluster-config -mgmt_uri https:\/\/sh1:8089 -replication_port 8181 -auth admin:pwd<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>23) Deployment Server &#038; Deployer<\/h3>\n<p>Deployment Server (DS) pushes configs to forwarders (serverclasses). Deployer pushes apps to SHC members. Keep clear separation: DS for UFs\/HFs; Deployer for SHC. Test app changes in dev, then promote.<\/p>\n<pre><code class=\"mono\"># serverclass.conf\r\n[serverClass:linux_ufs:app:web_inputs]\r\nwhitelist.0 = *web*<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>24) HTTP Event Collector (HEC)<\/h3>\n<p>HEC ingests JSON over HTTP\/HTTPS, ideal for cloud apps and microservices. Supports batched events, token-based auth, and acknowledgments. Map JSON keys to fields; set a sourcetype like <code>_json<\/code> or custom. Validate timestamps and host fields for accuracy.<\/p>\n<pre><code class=\"mono\">curl -k https:\/\/splunk:8088\/services\/collector -H \"Authorization: Splunk TOKEN\" \\\r\n -d '{\"event\":{\"msg\":\"hello\"},\"sourcetype\":\"app:json\",\"host\":\"svc1\",\"time\":1699999999}'<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>25) Ingest Budgets &#038; License<\/h3>\n<p>Splunk licenses by daily ingest (GB\/day). Monitor license usage, peaks, and violations. Control ingest: filter noisy sources at UF\/HF, blacklist unneeded paths, and sample verbose logs. Consider metrics indexes or OpenTelemetry for high-cardinality time series.<\/p>\n<pre><code class=\"mono\"># transforms.conf (drop noisy)\r\n[drop_healthchecks]\r\nREGEX = \"GET \/health\"\r\nDEST_KEY = queue\r\nFORMAT = nullQueue<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>26) Performance Tuning: Searches<\/h3>\n<p>Constrain by index\/time, reduce fields early, prefer <code>stats<\/code> over <code>transaction<\/code>, avoid large joins, and leverage <code>tstats<\/code>. Use search job inspector to find slow stages. Summarize periodic heavy jobs to summary indexes and read from summaries during the day.<\/p>\n<pre><code class=\"mono\">index=web earliest=-24h latest=now | fields keep=_time,host,uri,status | stats count by status<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>27) Metrics vs Logs<\/h3>\n<p>Metrics indexes store numeric time series efficiently; use <code>mstats<\/code> and metric metadata (metric_name, dimensions). For high-cardinality labels, use careful dimension modeling. Logs remain best for unstructured text and troubleshooting context. Use both for observability.<\/p>\n<pre><code class=\"mono\">| mstats avg(cpu.utilization) where metric_name=cpu.utilization by host span=1m<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>28) Data Model Acceleration &#038; CIM<\/h3>\n<p>Splunk\u2019s Common Information Model (CIM) normalizes fields across sources. Data models (often CIM-aligned) can be accelerated to speed searches dramatically using <code>tstats<\/code>. Maintain acceleration summaries and rebuild on schema changes. ES depends on well-mapped CIM data.<\/p>\n<pre><code class=\"mono\">| datamodel Web Web_Activity search\r\n| tstats count from datamodel=Web.Web_Activity by Web_Activity.url<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>29) Dashboards: SimpleXML &#038; Dashboard Studio<\/h3>\n<p>SimpleXML is classic; Dashboard Studio provides modern visuals and layout control. Use base searches with post-processing to share results across panels and save compute. Apply tokens, drilldowns, and time pickers for flexible analysis. Keep searches efficient (accelerate if needed).<\/p>\n<pre><code class=\"mono\">&lt;search base=\"base1\"&gt;&lt;query&gt;index=web | stats count by status&lt;\/query&gt;&lt;\/search&gt;<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-emerald\">\n<h3>30) Q&#038;A \u2014 \u201cHow do I make slow dashboards fast?\u201d<\/h3>\n<p><span class=\"q\">Answer:<\/span> Use base searches with post-processing, scope time tightly, reduce fields early, and prefer <code>tstats<\/code> or summary indexes for panels with heavy stats. Turn on report acceleration for eligible reports, and avoid per-panel expensive joins. Cache lookups as KV Store when appropriate.<\/p>\n<\/p><\/div>\n<p>      <!-- =============== SECTION 4: SECURITY (ES), ITSI, OBS, APPS (31\u201340) =============== --><\/p>\n<div class=\"section-title\">Section 4 \u2014 Security &#038; IT Ops Apps, Extensibility<\/div>\n<div class=\"card bg-blue\">\n<h3>31) Splunk Enterprise Security (ES)<\/h3>\n<p>ES is Splunk\u2019s SIEM app providing correlation searches, risk-based alerting (RBA), notable events, and dashboards over CIM-normalized data. Success depends on high-quality data onboarding, CIM mapping, and data model acceleration. Tune correlation rules to your environment; reduce alert fatigue with risk scoring and suppression.<\/p>\n<pre><code class=\"mono\"># RBA example (conceptual)\r\n| eval risk_score = if(severity=\"high\", 80, 30)<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-green\">\n<h3>32) IT Service Intelligence (ITSI)<\/h3>\n<p>ITSI provides service models, KPIs, episodes, and predictive analytics for IT operations. KPIs roll up to services with thresholds and notable event grouping (\u201cepisodes\u201d). Use service analyzers for impact visualization and glass tables for executive overviews. Good data hygiene (metrics\/logs) is key.<\/p>\n<pre><code class=\"mono\"># KPI search skeleton\r\nindex=infra sourcetype=telegraf:cpu | stats avg(usage_idle) as idle by host<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-amber\">\n<h3>33) Alerting &#038; Notables<\/h3>\n<p>Saved searches trigger alerts via email, webhooks, ServiceNow, or ES notable events. Use throttling to reduce noise, and include rich context in payloads (host, user, drilldown URL). For high-volume alerts, group into episodes (ITSI) or RBA strategies (ES).<\/p>\n<pre><code class=\"mono\"># savedsearches.conf (concept)\r\naction.email = 1\r\naction.webhook = 1<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-violet\">\n<h3>34) KV Store &#038; Lookups<\/h3>\n<p>KV Store (MongoDB-backed) powers dynamic lookups and stateful apps. Use for enrichment tables, watchlists, or cache. Size appropriately, back up, and secure access. Prefer KV Store for mutable data; CSV lookups for static small lists.<\/p>\n<pre><code class=\"mono\">| inputlookup assets_kv | stats count by owner<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-rose\">\n<h3>35) REST API &#038; SDKs<\/h3>\n<p>Automate Splunk via REST (management port 8089) to create searches, manage knowledge objects, or push configs. SDKs exist for Python\/JS\/Java. Secure with tokens and RBAC; avoid embedding admin creds in scripts.<\/p>\n<pre><code class=\"mono\">curl -k -u admin:pwd https:\/\/splunk:8089\/services\/search\/jobs -d search=\"search index=web | head 10\"<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-cyan\">\n<h3>36) Apps, Add-ons &#038; TA Strategy<\/h3>\n<p>Splunkbase provides vendor TAs (Technology Add-ons) for common sources, delivering sourcetypes, extractions, and CIM mappings. Install the correct TA version, read release notes, and localize configs under <code>local\/<\/code> to survive upgrades. Version control your apps and promote through environments.<\/p>\n<pre><code class=\"mono\"># App layout\r\ndefault\/\r\nlocal\/\r\nmetadata\/<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>37) Security Hardening<\/h3>\n<p>Enforce TLS on management &#038; indexing ports, rotate admin passwords, restrict management to trusted subnets\/VPN, and audit role capabilities. Lock down HEC tokens. Keep Splunk and TAs patched. Separate duties: admins vs power users vs viewers. Enable auditing to track changes.<\/p>\n<pre><code class=\"mono\"># server.conf (concept)\r\n[sslConfig]\r\nenableSplunkdSSL = true<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>38) Backups &#038; DR<\/h3>\n<p>Back up configuration (<code>$SPLUNK_HOME\/etc<\/code>), apps, and KV Store. For data, rely on indexer cluster replication and frozen copies (S3\/HDFS). Document restore procedures and test them. Keep Deployer\/DS backups to recreate deployments quickly.<\/p>\n<pre><code class=\"mono\"># KV Store backup (UI\/CLI options exist)\r\nsplunk backup kvstore<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>39) Cost Optimization<\/h3>\n<p>Control ingest at source; drop noise early with transforms. Use metrics indexes where appropriate. Compress summaries, right-size retention per index, and archive frozen buckets to cheap storage. Educate users to write efficient searches and enforce quotas.<\/p>\n<pre><code class=\"mono\"># props.conf (route less critical to low-retention index)\r\nTRANSFORMS-route_low = route_low_index<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-emerald\">\n<h3>40) Q&#038;A \u2014 \u201cSplunk Cloud vs Enterprise?\u201d<\/h3>\n<p><span class=\"q\">Answer:<\/span> Splunk Cloud offloads infra ops, upgrades, and scaling, with SaaS-level SLAs and guardrails; Enterprise gives full control on-prem\/your cloud but you own ops. Choose Cloud for speed\/ops simplicity; Enterprise for strict data residency\/control or deep customization needs.<\/p>\n<\/p><\/div>\n<p>      <!-- =============== SECTION 5: INTERVIEW Q&A (41\u201350) =============== --><\/p>\n<div class=\"section-title\">Section 5 \u2014 Interview Q&#038;A (20 Questions)<\/div>\n<div class=\"card bg-blue qa\">\n<h3>41) Q1\u20134: Architecture &#038; Ingest<\/h3>\n<p><b>Q1: UF vs HF?<\/b> UF is lightweight shipper; no heavy parsing. HF can parse\/transform\/route at edge and run apps. Prefer UF; use HF where pre-index transforms are required.<\/p>\n<p><b>Q2: Index vs sourcetype?<\/b> Index = storage &#038; retention boundary; sourcetype = data format semantics. Both are required on every event; sourcetype drives parsing\/fields.<\/p>\n<p><b>Q3: Buckets lifecycle?<\/b> Hot\u2192Warm\u2192Cold\u2192Frozen. Hot = writing; warm\/cold searchable; frozen deleted\/archived. Retention &#038; size are per-index.<\/p>\n<p><b>Q4: HEC best practices?<\/b> TLS, scoped tokens, batching with ack, set correct host\/source\/sourcetype, validate timestamps, backoff on 503.<\/p>\n<\/p><\/div>\n<div class=\"card bg-green qa\">\n<h3>42) Q5\u20138: Parsing &#038; CIM<\/h3>\n<p><b>Q5: Index-time vs search-time extraction?<\/b> Index-time affects storage (rare; risky to change later). Search-time is flexible and safer. Do index-time only when essential.<\/p>\n<p><b>Q6: Multiline handling?<\/b> Disable SHOULD_LINEMERGE, define LINE_BREAKER; or use event boundaries. Test with sample files.<\/p>\n<p><b>Q7: Why CIM?<\/b> Normalizes fields so apps (ES\/ITSI) can work across vendors. Speeds correlation and dashboards.<\/p>\n<p><b>Q8: tstats vs stats?<\/b> tstats reads accelerated summaries\/tsidx\u2014much faster. stats scans raw events; flexible but slower on big data.<\/p>\n<\/p><\/div>\n<div class=\"card bg-amber qa\">\n<h3>43) Q9\u201312: SPL Performance<\/h3>\n<p><b>Q9: Speed up slow searches?<\/b> Constrain by index\/time, reduce fields, avoid join\/transaction when possible, use tstats\/summary indexes.<\/p>\n<p><b>Q10: When use transaction?<\/b> To stitch events lacking a common ID (e.g., start\/stop). Prefer stats+eval if you have IDs; transaction is expensive.<\/p>\n<p><b>Q11: Lookup vs KV Store?<\/b> CSV for static small tables; KV Store for mutable, larger, or API-driven enrichments.<\/p>\n<p><b>Q12: Base search + post-process?<\/b> Share a heavy base search; panels run lightweight post-processing to save compute.<\/p>\n<\/p><\/div>\n<div class=\"card bg-violet qa\">\n<h3>44) Q13\u201316: Admin &#038; Scaling<\/h3>\n<p><b>Q13: RF\/SF meaning?<\/b> Replication Factor (copies of raw data) and Search Factor (searchable copies). RF\u22652, SF\u22652 for HA.<\/p>\n<p><b>Q14: SHC app deployment?<\/b> Use Deployer; never edit members directly. Keep app versions in VCS and promote via pipelines.<\/p>\n<p><b>Q15: License violations?<\/b> Exceed daily ingest \u2192 violation window; repeated violations restrict searching. Fix by reducing ingest or increasing license, and wait out the window.<\/p>\n<p><b>Q16: Data privacy?<\/b> Route PII to restricted indexes, mask at ingest with transforms, and enforce RBAC roles.<\/p>\n<\/p><\/div>\n<div class=\"card bg-rose qa\">\n<h3>45) Q17\u201320: Dashboards, Alerts, Ops<\/h3>\n<p><b>Q17: Fast dashboards?<\/b> Base searches, post-processing, tstats\/acceleration, and narrow time ranges. Avoid per-panel big joins.<\/p>\n<p><b>Q18: Alert noise?<\/b> Throttle, deduplicate, group episodes (ITSI), and use RBA in ES. Include rich context for triage.<\/p>\n<p><b>Q19: Metrics vs logs choice?<\/b> Metrics for numeric TS with fixed dims (fast &#038; cheap); logs for detailed context. Use both.<\/p>\n<p><b>Q20: Common onboarding mistakes?<\/b> Wrong sourcetypes, missing timestamps, multiline errors, no CIM mapping, and unbounded ingest causing license pain.<\/p>\n<\/p><\/div>\n<p>      <!-- BONUS: small cheat blocks to reach 50 total --><\/p>\n<div class=\"card bg-cyan\">\n<h3>46) Cheat: Time Constraints<\/h3>\n<p>Use earliest\/latest for speed: <code>earliest=-15m latest=now<\/code>, <code>@d<\/code> for day boundaries. Favor relative times in saved searches.<\/p>\n<pre><code class=\"mono\">index=web earliest=-1h@h latest=@h | stats count<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-lime\">\n<h3>47) Cheat: Field Normalization<\/h3>\n<p>Use <code>coalesce<\/code> and <code>rename<\/code> to normalize variants across sources before aggregation or joins.<\/p>\n<pre><code class=\"mono\">... | eval user=coalesce(user, username, usr)\r\n| rename clientip as src_ip<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-orange\">\n<h3>48) Cheat: Thresholding &#038; Anomaly Hints<\/h3>\n<p>Compute moving baselines with <code>streamstats<\/code>\/<code>eventstats<\/code> and trigger alerts on deviations to reduce static threshold noise.<\/p>\n<pre><code class=\"mono\">... | timechart span=5m count as c\r\n| streamstats window=12 avg(c) as avg stdev(c) as sd\r\n| where c &gt; avg + 3*sd<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-indigo\">\n<h3>49) Cheat: Summary Index Pattern<\/h3>\n<p>Schedule heavy job hourly to write summaries; dashboards read summaries for sub-second panels while raw data remains for drilldowns.<\/p>\n<pre><code class=\"mono\"># write summary\r\n... | stats count by uri | collect index=summaries sourcetype=web_sum<\/code><\/pre>\n<\/p><\/div>\n<div class=\"card bg-emerald\">\n<h3>50) Final Tips<\/h3>\n<p>Get sourcetypes and timestamps perfect, design indexes with clear retention, use CIM for app compatibility, prefer tstats\/acceleration for scale, and keep searches scoped. Treat Splunk as a shared platform: version control apps, guard ingest, and build a catalog of reusable knowledge objects and macros.<\/p>\n<pre><code class=\"mono\"># macro usage\r\n`http_5xx`\r\n| stats count by uri<\/code><\/pre>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Splunk Pocket Book \u2014 Uplatz 50 cards total \u2022 Wide 3-column layout \u2022 Readable examples \u2022 Interview Q&amp;A included Section 1 \u2014 Splunk Core Concepts 1) What is Splunk? Splunk <span class=\"readmore\"><a href=\"https:\/\/uplatz.com\/blog\/splunk-pocket-book\/\">Read More &#8230;<\/a><\/span><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2462,2464],"tags":[],"class_list":["post-4405","post","type-post","status-publish","format-standard","hentry","category-pocket-book","category-splunk"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Splunk Pocket Book | Uplatz Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/uplatz.com\/blog\/splunk-pocket-book\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Splunk Pocket Book | Uplatz Blog\" \/>\n<meta property=\"og:description\" content=\"Splunk Pocket Book \u2014 Uplatz 50 cards total \u2022 Wide 3-column layout \u2022 Readable examples \u2022 Interview Q&amp;A included Section 1 \u2014 Splunk Core Concepts 1) What is Splunk? Splunk Read More ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/uplatz.com\/blog\/splunk-pocket-book\/\" \/>\n<meta property=\"og:site_name\" content=\"Uplatz Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Uplatz-1077816825610769\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-08-09T10:43:14+00:00\" \/>\n<meta name=\"author\" content=\"uplatzblog\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@uplatz_global\" \/>\n<meta name=\"twitter:site\" content=\"@uplatz_global\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"uplatzblog\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/splunk-pocket-book\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/splunk-pocket-book\\\/\"},\"author\":{\"name\":\"uplatzblog\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/person\\\/8ecae69a21d0757bdb2f776e67d2645e\"},\"headline\":\"Splunk Pocket Book\",\"datePublished\":\"2025-08-09T10:43:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/splunk-pocket-book\\\/\"},\"wordCount\":2343,\"publisher\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#organization\"},\"articleSection\":[\"Pocket Book\",\"Splunk\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/splunk-pocket-book\\\/\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/splunk-pocket-book\\\/\",\"name\":\"Splunk Pocket Book | Uplatz Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#website\"},\"datePublished\":\"2025-08-09T10:43:14+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/splunk-pocket-book\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/uplatz.com\\\/blog\\\/splunk-pocket-book\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/splunk-pocket-book\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Splunk Pocket Book\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/\",\"name\":\"Uplatz Blog\",\"description\":\"Uplatz is a global IT Training &amp; Consulting company\",\"publisher\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#organization\",\"name\":\"uplatz.com\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2016\\\/11\\\/Uplatz-Logo-Copy-2.png\",\"contentUrl\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/wp-content\\\/uploads\\\/2016\\\/11\\\/Uplatz-Logo-Copy-2.png\",\"width\":1280,\"height\":800,\"caption\":\"uplatz.com\"},\"image\":{\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/Uplatz-1077816825610769\\\/\",\"https:\\\/\\\/x.com\\\/uplatz_global\",\"https:\\\/\\\/www.instagram.com\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/7956715?trk=tyah&amp;amp;amp;amp;trkInfo=clickedVertical:company,clickedEntityId:7956715,idx:1-1-1,tarId:1464353969447,tas:uplatz\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/uplatz.com\\\/blog\\\/#\\\/schema\\\/person\\\/8ecae69a21d0757bdb2f776e67d2645e\",\"name\":\"uplatzblog\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g\",\"caption\":\"uplatzblog\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Splunk Pocket Book | Uplatz Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/uplatz.com\/blog\/splunk-pocket-book\/","og_locale":"en_US","og_type":"article","og_title":"Splunk Pocket Book | Uplatz Blog","og_description":"Splunk Pocket Book \u2014 Uplatz 50 cards total \u2022 Wide 3-column layout \u2022 Readable examples \u2022 Interview Q&amp;A included Section 1 \u2014 Splunk Core Concepts 1) What is Splunk? Splunk Read More ...","og_url":"https:\/\/uplatz.com\/blog\/splunk-pocket-book\/","og_site_name":"Uplatz Blog","article_publisher":"https:\/\/www.facebook.com\/Uplatz-1077816825610769\/","article_published_time":"2025-08-09T10:43:14+00:00","author":"uplatzblog","twitter_card":"summary_large_image","twitter_creator":"@uplatz_global","twitter_site":"@uplatz_global","twitter_misc":{"Written by":"uplatzblog"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/uplatz.com\/blog\/splunk-pocket-book\/#article","isPartOf":{"@id":"https:\/\/uplatz.com\/blog\/splunk-pocket-book\/"},"author":{"name":"uplatzblog","@id":"https:\/\/uplatz.com\/blog\/#\/schema\/person\/8ecae69a21d0757bdb2f776e67d2645e"},"headline":"Splunk Pocket Book","datePublished":"2025-08-09T10:43:14+00:00","mainEntityOfPage":{"@id":"https:\/\/uplatz.com\/blog\/splunk-pocket-book\/"},"wordCount":2343,"publisher":{"@id":"https:\/\/uplatz.com\/blog\/#organization"},"articleSection":["Pocket Book","Splunk"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/uplatz.com\/blog\/splunk-pocket-book\/","url":"https:\/\/uplatz.com\/blog\/splunk-pocket-book\/","name":"Splunk Pocket Book | Uplatz Blog","isPartOf":{"@id":"https:\/\/uplatz.com\/blog\/#website"},"datePublished":"2025-08-09T10:43:14+00:00","breadcrumb":{"@id":"https:\/\/uplatz.com\/blog\/splunk-pocket-book\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/uplatz.com\/blog\/splunk-pocket-book\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/uplatz.com\/blog\/splunk-pocket-book\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/uplatz.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Splunk Pocket Book"}]},{"@type":"WebSite","@id":"https:\/\/uplatz.com\/blog\/#website","url":"https:\/\/uplatz.com\/blog\/","name":"Uplatz Blog","description":"Uplatz is a global IT Training &amp; Consulting company","publisher":{"@id":"https:\/\/uplatz.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/uplatz.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/uplatz.com\/blog\/#organization","name":"uplatz.com","url":"https:\/\/uplatz.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/uplatz.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2016\/11\/Uplatz-Logo-Copy-2.png","contentUrl":"https:\/\/uplatz.com\/blog\/wp-content\/uploads\/2016\/11\/Uplatz-Logo-Copy-2.png","width":1280,"height":800,"caption":"uplatz.com"},"image":{"@id":"https:\/\/uplatz.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Uplatz-1077816825610769\/","https:\/\/x.com\/uplatz_global","https:\/\/www.instagram.com\/","https:\/\/www.linkedin.com\/company\/7956715?trk=tyah&amp;amp;amp;amp;trkInfo=clickedVertical:company,clickedEntityId:7956715,idx:1-1-1,tarId:1464353969447,tas:uplatz"]},{"@type":"Person","@id":"https:\/\/uplatz.com\/blog\/#\/schema\/person\/8ecae69a21d0757bdb2f776e67d2645e","name":"uplatzblog","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7f814c72279199f59ded4418a8653ad15f5f8904ac75e025a4e2abe24d58fa5d?s=96&d=mm&r=g","caption":"uplatzblog"}}]}},"_links":{"self":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts\/4405","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/comments?post=4405"}],"version-history":[{"count":1,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts\/4405\/revisions"}],"predecessor-version":[{"id":4406,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/posts\/4405\/revisions\/4406"}],"wp:attachment":[{"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/media?parent=4405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/categories?post=4405"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/uplatz.com\/blog\/wp-json\/wp\/v2\/tags?post=4405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}