dashboard
WEEK_3 · DAY_15 · 1 HOUR
Splunk Admin Essentials
Roles, indexes, deployment server, monitoring console, license
Learning Objectives
- ›Manage users, roles, capabilities
- ›Plan and create indexes with retention
- ›Push apps via Deployment Server
- ›Use Monitoring Console for health
Module 1 — Users, Roles, Capabilities
Built-in roles: admin, user, power. Stack capabilities & srchIndexesAllowed for least privilege.
RBAC: T1 sees only Incident Review; T3 has search across all indexes.
Module 2 — Indexes & Retention
indexes.conf: maxDataSize, frozenTimePeriodInSecs, coldPath, frozenPath.
Hot/warm fast SSD, cold cheaper HDD, frozen S3/archive.
Module 3 — Deployment Server
Pushes apps & configs to forwarders. serverclass.conf maps clients to apps.
Critical for managing 10,000+ forwarders centrally.
Module 4 — Monitoring Console
Pre-built dashboards for indexer health, search performance, license use.
First place to look when 'Splunk feels slow.'
Lab 15 — Plan Roles & Indexes
- Define roles: t1, t2, t3, soc_manager, ir_lead.
- Map capabilities and srchIndexesAllowed for each.
- Plan 5 indexes with retention (wineventlog 90d, sysmon 60d, network 30d, email 180d, notable 365d).
- Document a Deployment Server serverclass for Windows endpoints.
Key Takeaways
- ✓RBAC + index access = least privilege
- ✓Retention is a cost & compliance decision
- ✓Monitoring Console first when in doubt