Splunk Core Certified Power User (SPLK-1002) : Certification Experience
Introduction
After recently passing the Splunk Core Certified User (SPLK-1001) certification, I decided to continue my studies and prepare for the Splunk Core Certified Power User (SPLK-1002) certification. I wanted to continue to build on my knowledge of Splunk fundamentals and learn more about Splunk features. I have created this short article to help anyone who is considering on studying for the SPLK-1002 exam and to share my experience with the training. You can also read about my experience studying for the SPLK-1001 here.
Splunk Core Certified Power User (SPLK-1002)
Splunk is a software platform to search, analyze and visualize the machine-generated data. In Cyber Security, Splunk allows security teams to analyze large data sets, detect malicious network activity, and respond to threats across environments quickly and more accurately than legacy SIEM systems.
According to Splunk, The Splunk Power User (SPLK-1002) certification is intended for individuals who have a more advanced understanding of the Splunk platform and its features. They are able to perform more complex searches and create more advanced reports and dashboards. The certification focuses on intermediate-level functionality of the platform. In contrast, the Splunk User (SPLK-1001) certification is focused on the core functionality of the platform, such as searching, navigating, and creating simple reports and dashboards.
Training Material
In preparation to sit the SPLK-1002 exam, I started by reviewing the exam Test Blueprint and the Splunk Certification Exams Study Guide. These guides provide an overview of what to expect on the exam, sample questions and suggested training material. I studied the following Splunk eLearning modules (pricing guide) while preparing for the exam:
Free eLearning Modules:
- What is Splunk?
- Intro to Knowledge Objects
Paid eLearning Modules:
- Intro to Splunk
- Using Fields
- Working with Time
- Comparing Values
- Result Modification
- Correlation Analysis
- Creating Knowledge Objects
- Creating Field Extractions
- Data Models
The training was provided in the same format as for the SPLK-1001 certification. The training was compromised of a mixture of video lectures, lab exercises and quizzes. Overall, I found the eLearning modules listed above were sufficient to pass the exam but, as with the SPLK-1001, I did often find myself needing to refer to the Splunk Documentation page to fill some knowledge gaps I had around different SPL commands and Splunk concepts. The questions in the quizzes provided in the eLearning modules were also around the same difficulty level that I experienced during the exam.
Exam Experience & Advice
The exam is provided by Splunk’s testing partner Pearson VUE and costs $130 USD per exam attempt. The exam format consists of 65 multiple choice questions and lasts for 60 minutes. The exam itself was straight forward and I found myself sufficiently prepared once I had completed all of the eLearning Modules above. I also found that 60 minutes was sufficient time to complete the exam.
To anyone taking the exam, I would provide the following advice:
- Review the Exam Blueprint and understand how each section is weighted in the exam. This helps to prioritize study time on sections that are weighted more heavily than others.
- Complete the labs that accompany each module to get some hands on practices with SPL and Splunk features. The Boss of The SOC challenges can also be a useful resource when practicing SPL searches.
- During the exam, there were a few questions that I was unsure about. This is inevitable when preparing for any certification and my advice for these questions is to select an answer and flag the question for later review. This saves you from wasting time and ensures that you do not miss any easy questions that may come up later in the exam.
Final Thoughts
The Splunk Core Certified Power User (SPLK-1002) is an intermediary level certification that can help expand your basic Splunk skill set with greater understanding of searching and reporting, creating objects, tags, models and more. It’s great for beginners looking to expand their foundation of knowledge in Splunk or for people looking to prove their existing knowledge via passing the exam. I also found that taking this exam shortly after passing the SPLK-1001 helped with knowledge retention and reduced the amount of time I needed to study. Thanks for reading till the end and best of luck with your exams 😃!
