Recently, I have been working a lot within Splunk environments but, despite having completed multiple certifications, training and security challenges that involved Splunk, I had yet to acquire any certifications from Splunk itself. In light of this, I recently studied for and passed the Splunk Core Certified User (SPLK-1001) certification, to demonstrate my understanding of Splunk fundamentals. I have created this short article to help anyone who is considering on studying for the SPLK-1001 exam and to share my experience with the training.
Splunk Core Certified User (SPLK-1001)
Splunk is a software platform to search, analyze and visualize the machine-generated data. In Cyber Security, Splunk allows security teams to analyze large data sets, detect malicious network activity, and respond to threats across environments quickly and more accurately than legacy SIEM systems.
According to Splunk, a Splunk Core Certified User is able to search, use fields, create alerts, use look-ups, and create basic statistical reports and dashboards in either the Splunk Enterprise or Splunk Cloud platforms. This entry-level certification demonstrates an individual’s basic ability to navigate and use Splunk software.
In preparation to sit the SPLK-1001 exam, I started by reviewing the exam Test Blueprint and the Splunk Certification Exams Study Guide. These guides provide an overview of what to expect on the exam, sample questions and suggested training material. I studied the following Splunk eLearning modules (pricing guide) while preparing for the exam:
Free eLearning Modules:
- What is Splunk?
- Intro to Knowledge Objects
Paid eLearning Modules:
- Intro to Splunk
- Using Fields
- Scheduling Reports and Alerts
- Working with Time
- Statistical Processing
- Leveraging Lookups and Subsearches
- Search Optimization
The training was a mixture of video lectures, lab exercises and quizzes. Overall, I found the eLearning modules listed above were sufficient to pass the exam but I did often find myself needing to refer to the Splunk Documentation page to fill some knowledge gaps I had around different SPL commands. The questions in the quizzes provided in the eLearning modules were also around the same difficulty level that I experienced during the exam.
Exam Experience & Advice
The exam is provided by Splunk’s testing partner Pearson VUE and costs $130 USD per exam attempt. The exam format consists of 60 multiple choice questions and lasts for 60 minutes. The exam itself was straight forward and I found myself sufficiently prepared once I had completed all of the eLearning Modules above. I also found that 60 minutes was sufficient time to complete the exam.
To anyone taking the exam, I would provide the following advice:
- Review the Exam Blueprint and understand how each section is weighted in the exam. This helps to priorities study time on sections that are weighted more heavily than others.
- Complete the labs that accompany each module to get some hands on practices with SPL and Splunk features. The Boss of The SOC challenges can also be a useful resource when practicing SPL searches.
- During the exam, there were a few questions that I was unsure about. This is inevitable when preparing for any certification and my advice for these questions is to select an answer and flag the question for later review. This saves you from wasting time and ensures that you do not miss any easy questions that may come up later in the exam.
The Splunk Core Certified User (SPLK-1001) is an entry level certification that can help demonstrate you have basic competency with using Splunk. It’s great for beginners looking to building a foundation of knowledge in Splunk or for people looking to prove their existing knowledge via passing the exam. It also serves as a good stepping stone to prepare for the Splunk Core Certified Power User (SPLK-1002) certification. Thank you for reading till the end and best of luck in your exams! 😃