soc30 / lms
connected
back to day 8
WEEK_2 · DAY_08 · LAB

Lab 8 — Architect a Splunk Deployment

Indexers, search heads, forwarders, deployment server, license master

LAB PROGRESS0/4 steps · 0%

Lab Objectives

  • Identify every component of a Splunk deployment
  • Understand the data pipeline: input → parsing → indexing → search
  • Differentiate Universal Forwarder vs Heavy Forwarder
  • Plan a clustered deployment

Lab Instructions

  1. 1
    Plan a deployment for 500 GB/day ingest.
  2. 2
    Size indexers, search heads, forwarders.
  3. 3
    Decide: Indexer Cluster yes/no? Search Head Cluster yes/no?
  4. 4
    Document on which components Splunk ES would run.
← LAB 7
Lab 7 — Map a Real Breach
LAB 9
Lab 9 — Onboard a New Source