© 2023 SPLUNK INC.

Splunk
Certification
Certification Exam Study Guide
 © 2023 SPLUNK INC.

Splunk Certification
Quick Link References
COVID-19 Exam Delivery Updates can be found here.

Splunk Certification Splunk Certification Exam Registration Online Proctored Contact Pearson VUE
Candidate Handbook Exam Agreement Tutorial Delivery Overview Support

Everything you need to All candidates must Step-by-step exam What to expect when Pearson VUE
know about the Splunk review and agree to registration assistance taking a Splunk registration
Certification program. this policy in-full prior to with detailed Certification exam via troubleshooting,
accessing a Splunk screenshots of the online proctor. account issues, or
Certification Exam. registration process. exam delivery issues.
 © 2023 SPLUNK INC.

Splunk
Certification • Splunk Core Certified User
Exams • Splunk Core Certified Power User
• Splunk Core Certified Advanced Power User
Table of Contents
• Splunk Cloud Certified Admin
Please note: Sample questions (where
• Splunk Enterprise Certified Admin
available) are provided to give candidates a
general idea of the formatting and type of • Splunk Enterprise Certified Architect
questions for each of the exams listed above.
The test blueprints provide much more detailed • Splunk Core Certified Consultant
information regarding exam content.
• Splunk ES Certified Admin

Candidate performance on these questions in • Splunk ITSI Certified Admin

no way guarantees performance or passing • Splunk SOAR Certified Automation Developer
marks on the certification exam(s).
• Splunk O11y Cloud Certified Metrics User
• Splunk Certified Cybersecurity Defense Analyst
 © 2023 SPLUNK INC.

Splunk Core Certified User

What’s on the Exam?
This entry-level certification exam is a 57-minute, 60-question assessment which evaluates a
candidate’s knowledge and skills to search, use fields, create alerts, use lookups, and create basic
statistical reports and dashboards. Candidates can expect an additional 3 minutes to review the exam
agreement, for a total seat time of 60 minutes.

Splunk Core Certified User is a recommended entry-level certification track for all candidates.

We recommend exam candidates complete the following courses:

Prerequisite Certification(s): ❏ Intro to Splunk

❏ Using Fields
● None
❏ Scheduling Reports and Alerts
Prerequisite Course(s): ❏ Visualizations
❏ Working with Time
● None ❏ Statistical Processing
❏ Leveraging Lookups and Subsearches
Recommended Next Steps:
❏ Search Optimization
● Splunk Core Certified Power
Looking for more details? Review the test blueprint here.
User
 © 2023 SPLUNK INC.

Splunk Core Certified User

Sample Questions

1. Which of the following is a main processing component of basic Splunk architecture?

a. Indexer
b. Load balancer
c. License master
d. Deployment server

2. According to Splunk best practices, which of the following searches is most efficient if we are interested in searching
the Windows Security Event Log for failures?
a. status=failure
b. index=oswinsec sourcetype=WinEventLog:Security status=failure
c. index=oswinsec sourcetype=WinEventLog:* status=failure
d. index=oswinsec failure

3. Which search command calculates statistics based on fields in the events?

a. top
b. rare
c. stats
d. fields
 © 2023 SPLUNK INC.

Splunk Core Certified User

Answer Key

1. Which of the following is a main processing component of basic Splunk architecture?

a. Indexer
b. Load balancer
c. License master
d. Deployment server

2. According to Splunk best practices, which of the following searches is most efficient if we are interested in searching
the Windows Security Event Log for failures?
a. status=failure
b. index=oswinsec sourcetype=WinEventLog:Security status=failure
c. index=oswinsec sourcetype=WinEventLog:* status=failure
d. index=oswinsec failure

3. Which search command calculates statistics based on fields in the events?

a. top
b. rare
c. stats
d. fields
 © 2023 SPLUNK INC.

Splunk Core Certified Power User

What’s on the Exam?
This next-level certification exam is a 57-minute, 65-question assessment which evaluates a
candidate’s knowledge and skills of field aliases and calculated fields, creating tags and event types,
using macros, creating workflow actions and data models, and normalizing data with the CIM.
Candidates can expect an additional 3 minutes to review the exam agreement, for a total seat time of
60 minutes.

In order to be prepared for the certification exam, Splunk recommends completing the following
courses:
Prerequisite Certification(s):
❏ Working with Time
● None
❏ Statistical Processing
Prerequisite Course(s): ❏ Comparing Values
❏ Result Modification
● None
❏ Correlation Analysis
Recommended Next Steps: ❏ Creating Knowledge Objects
❏ Creating Field Extractions
● Splunk Core Certified ❏ Data Models
Advanced Power User
● Splunk Enterprise Certified Looking for more details? Review the test blueprint here.
Admin
● Splunk Cloud Certified
Admin
 © 2023 SPLUNK INC.

Splunk Core Certified Power User

Sample Questions

1. Which command is used only to create a time series visualization?

a. _time
b. chart
c. timechart
d. timeseries

2. Which of the following statements describe field aliases? (select all that apply)
a. Field aliases are applied after lookups.
b. Field aliases are applied before lookups.
c. Field aliases can be applied to lookups.
d. The original field is not replaced by the field alias.

3. What action type is used when creating a POST workflow action?

a. Web
b. Link
c. HTTP
d. HTTPS
 © 2023 SPLUNK INC.

Splunk Core Certified Power User

Answer Key

1. Which command is used only to create a time series visualization?

a. _time
b. chart
c. timechart
d. timeseries

2. Which of the following statements describe field aliases? (Select all that apply)
a. Field aliases are applied after lookups.
b. Field aliases are applied before lookups.
c. Field aliases can be applied to lookups.
d. The original field is not replaced by the field alias.

3. What action type is used when creating a POST workflow action?

a. Web
b. Link
c. HTTP
d. HTTPS
 © 2023 SPLUNK INC.

Splunk Core Certified Advanced Power User

What’s on the Exam?
This advanced certification exam is a 57-minute, 70-question assessment which evaluates a candidate’s knowledge
and skills in more advanced searching and reporting commands, advanced use cases of knowledge objects, and
best practices for building dashboards and forms. Candidates can expect an additional 3 minutes to review the exam
agreement, for a total seat time of 60 minutes.

In order to be prepared for the certification exam, Splunk recommends completed the following courses:

❏ Using Fields
❏ Working with Time
Prerequisite Certification(s): ❏ Comparing Values
❏ Result Modification
● Splunk Core Certified Power User ❏ Leveraging Lookups and Subsearches
❏ Correlation Analysis
Prerequisite Course(s): ❏ Multivalue Fields
❏ Search Optimization
● None ❏ Creating Knowledge Objects
❏ Creating Field Extractions
Recommended Next Steps:
❏ Enriching Data with Lookups
❏ Data Models
● Splunk Enterprise Certified Admin
❏ Introduction to Dashboards
● Splunk Cloud Certified Admin ❏ Dynamic Dashboards

Looking for more details? Review the test blueprint here.

 © 2023 SPLUNK INC.

Splunk Core Certified Advanced Power User

Sample Questions

1. Where are transforming commands executed?

a. On indexers.
b. On search heads.
c. On forwarders.
d. It depends on their position in the search string.

2. At search time, Splunk creates tokens from event data. Where are they stored?
a. In a journal.gz file.
b. In a props.conf file.
c. In an inputs.conf file.
d. In a .tsidx file.

3. What is a default limitation of subsearches?

a. A subsearch returns no more than 10,000 events.
b. A subsearch must run in fewer than 30 seconds.
c. A subsearch can only be formatted with the | return command.
d. A subsearch only works by editing limits.conf.
 © 2023 SPLUNK INC.

Splunk Core Certified Advanced Power User

Answer Key

1. Where are transforming commands executed?

a. On indexers.
b. On search heads.
c. On forwarders.
d. It depends on their position in the search string.

2. At search time, Splunk creates tokens from event data. Where are they stored?
a. In a journal.gz file.
b. In a props.conf file.
c. In an inputs.conf file.
d. In a .tsidx file.

3. What is a default limitation of subsearches?

a. A subsearch returns no more than 10,000 events.
b. A subsearch must run in fewer than 30 seconds.
c. A subsearch can only be formatted with the | return command.
d. A subsearch only works by editing limits.conf.
 © 2023 SPLUNK INC.

Splunk Cloud Certified Admin

What’s on the Exam?
This upper-level certification exam is a 72-minute, 60-question assessment which evaluates a
candidate’s knowledge and skills in best practices and configuration details for Splunk Cloud, including
data inputs and forwarder configuration, data management, user accounts, and basic monitoring and
problem isolation. Candidates can expect an additional 3 minutes to review the exam agreement, for a
total seat time of 75 minutes. It is recommended that candidates for this certification complete the
lecture, hands-on labs, and quizzes that are part of the Splunk Cloud Administration or Transitioning to
Splunk Cloud course in order to be prepared for the certification exam.

Prerequisite Certification(s): The following content areas are general guidelines for the content to be included on the exam:
● Splunk Core Certified Power User
● Splunk Cloud overview
Prerequisite Course(s): ● Splunk index management
● Users, roles, and authentication
● None ● Splunk configuration files
● Universal forwarder
Recommended Next Steps: ● Forwarder management
● Data inputs in detail
● Splunk ES Certified Admin
● Event parsing with data preview
● Splunk ITSI Certified Admin
● Manipulating raw data
● Splunk SOAR Certified
● Installing apps
Automation Developer
● Problem isolation and Splunk Cloud support

Looking for more details? Review the test blueprint here.

 © 2023 SPLUNK INC.

Splunk Cloud Certified Admin

Sample Questions

1. Which Windows input type collects data from the Windows OS logs?
a. Network
b. Performance
c. Event log
d. Host

2. If a new event's raw data contains a timestamp, what is the next check (or decision) that Splunk makes in the event
timestamp processing logic?
a. Check if explicit time extraction rules exist in props.conf.
b. Check if the event contains a date.
c. Check if the file name contains a date.
d. Check if timestamps of nearby events from the same source are within a ten minute offset.

3. Which of the following is true about how users may be authenticated with Splunk Cloud?
a. Splunk native authentication, LDAP, and SAML authentication can all be used at the same time.
b. Splunk native authentication can be used with either LDAP or SAML authentication, but not both at the
same time.
c. Enabling LDAP or SAML authentication disables Splunk native authentication.
d. Enabling Splunk native authentication disables LDAP and SAML authentication options.
 © 2023 SPLUNK INC.

Splunk Cloud Certified Admin

Answer Key

1. Which Windows input type collects data from the Windows OS logs?
a. Network
b. Performance
c. Event log
d. Host

2. If a new event's raw data contains a timestamp, what is the next check (or decision) that Splunk makes in the event
timestamp processing logic?
a. Check if explicit time extraction rules exist in props.conf.
b. Check if the event contains a date.
c. Check if the file name contains a date.
d. Check if timestamps of nearby events from the same source are within a ten minute offset.

3. Which of the following is true about how users may be authenticated with Splunk Cloud?
a. Splunk native authentication, LDAP, and SAML authentication can all be used at the same time.
b. Splunk native authentication can be used with either LDAP or SAML authentication, but not both at the
same time.
c. Enabling LDAP or SAML authentication disables Splunk native authentication.
d. Enabling Splunk native authentication disables LDAP and SAML authentication options.
 © 2023 SPLUNK INC.

Splunk Enterprise Certified Admin

What’s on the Exam?
This upper-level certification exam is a 57-minute, 56-question assessment which evaluates a
candidate’s knowledge and skills to manage various components of Splunk on a daily basis, including
the health of the Splunk installation. Candidates can expect an additional 3 minutes to review the exam
agreement, for a total seat time of 60 minutes. It is recommended that candidates for this certification
complete the lecture, hands-on labs, and quizzes that are part of the Splunk Enterprise System
Administration and Splunk Enterprise Data Administration courses in order to be prepared for the
certification exam.
Prerequisite Certification(s):
The following content areas are general guidelines for the content to be included on the exam:
● Splunk Core Certified Power User
● Splunk deployment overview
Prerequisite Course(s):
● License management
● None ● Splunk apps
● Splunk configuration files
Recommended Next Steps: ● Users, roles, and authentication
● Getting data in
● Splunk Enterprise Certified Architect ● Distributed search
● Splunk ES Certified Admin ● Introduction to Splunk clusters
● Splunk ITSI Certified Admin ● Deploy forwarders with Forwarder Management
● Splunk SOAR Certified Automation ● Configure common Splunk data inputs
Developer ● Customize the input parsing process

Looking for more details? Review the test blueprint here.

 © 2023 SPLUNK INC.

Splunk Enterprise Certified Admin

Sample Questions

1. Which Splunk component receives, indexes, and stores incoming data from forwarders?
a. Indexer
b. Search head
c. Cluster master
d. Deployment server

2. Which license type allows 500MB/day of indexing, but disables alerts, authentication, cluster, distributed search,
summarization, and forwarding to non-Splunk servers?
a. Free license
b. Forwarder license
c. Enterprise license
d. Enterprise trial license

3. What can be used when setting the host field option on a network input? (select all that apply)
a. IP
b. DNS
c. A binary file
d. Custom (explicit value)
 © 2023 SPLUNK INC.

Splunk Enterprise Certified Admin

Answer Key

1. Which Splunk component receives, indexes, and stores incoming data from forwarders?
a. Indexer
b. Search head
c. Cluster master
d. Deployment server

2. Which license type allows 500MB/day of indexing, but disables alerts, authentication, cluster, distributed search,
summarization, and forwarding to non-Splunk servers?
a. Free license
b. Forwarder license
c. Enterprise license
d. Enterprise trial license

3. What can be used when setting the host field option on a network input? (select all that apply)
a. IP
b. DNS
c. A binary file
d. Custom (explicit value)
 © 2023 SPLUNK INC.

Splunk Enterprise Certified Architect

What’s on the Exam?
This highly technical certification exam is an 87-minute, 85-question assessment which evaluates a candidate’s
knowledge and skills in Splunk Deployment Methodology and best-practices for planning, data collection, and sizing,
managing, and troubleshooting a standard with indexer and search head clustering. Candidates can expect an
additional 3 minutes to review the exam agreement, for a total seat time of 90 minutes. Candidates for this
certification must complete the lecture, hands-on labs, and quizzes that are part of the Architecting Splunk
Enterprise Deployments, Troubleshooting Splunk Enterprise, and Splunk Enterprise Cluster Administration courses,
as well as the Splunk Enterprise Deployment Practical Lab in order to be eligible for the certification exam.

The following content areas are general guidelines for the content to be included on the exam:

● Requirements definition
● Index and infrastructure planning
Prerequisite Certification(s): ● Clustering Overview
● Forwarder and Deployment
● Splunk Core Certified Power User ● Integration
● Splunk Enterprise Certified Admin ● Splunk Support model
● Splunk troubleshooting methods and tools
Prerequisite Course(s): ● Clarifying the problem, installation, licensing, and crash problems
● UI and search problems
● Architecting Splunk Enterprise ● Configuration problems
● Deployment problems
Deployments
● User management problems
● Troubleshooting Splunk Enterprise
● Large-scale Splunk deployment overview
● Splunk Cluster Administration ● Single-site (high-availability) indexer cluster, multi-site (disaster-recovery) indexer cluster
● Splunk Deployment Practical Lab ● Indexer cluster management and administration
● Indexer discovery forwarder configuration
Recommended Next Steps: ● Search head cluster
● Search head cluster management and administration
● Splunk Core Certified Consultant ● KV Store collection and lookup management

Looking for more details? Review the test blueprint here.

 © 2023 SPLUNK INC.

Splunk Enterprise Certified Architect

Sample Questions

1. Search mode is a setting that optimizes search performance by controlling the amount or type of data that the
search returns. Which of the following are valid search mode settings? (select all that apply)
a. Fast
b. Smart
c. Verbose
d. Transform

2. By default, what is the retention period for the Splunk _audit index?
a. 14 days
b. 30 days
c. 90 days
d. 6 years

3. All Splunk users are unable to run searches. A legacy license file is suspected to have caused the issue. Which
Splunk log component could be used to clarify and confirm the issue?
a. Metrics
b. LMStackMgr
c. ServerConfig
d. SearchProcessRunner
 © 2023 SPLUNK INC.

Splunk Enterprise Certified Architect

Answer Key

1. Search mode is a setting that optimizes search performance by controlling the amount or type of data that the
search returns. Which of the following are valid search mode settings? (select all that apply)
a. Fast
b. Smart
c. Verbose
d. Transform

2. By default, what is the retention period for the Splunk _audit index?
a. 14 days
b. 30 days
c. 90 days
d. 6 years

3. All Splunk users are unable to run searches. A legacy license file is suspected to have caused the issue. Which
Splunk log component could be used to clarify and confirm the issue?
a. Metrics
b. LMStackMgr
c. ServerConfig
d. SearchProcessRunner
 Splunk Core Certified Consultant © 2023 SPLUNK INC.

What’s on the Exam?

This highly technical certification exam is a 117-minute, 86-question assessment which evaluates a candidate’s
knowledge and skills in Splunk Deployment Methodology and best-practices for planning, data collection, and
sizing, managing, and troubleshooting a standard with indexer and search head clustering. Candidates can
expect an additional 3 minutes to review the exam agreement, for a total seat time of 120 minutes. To qualify for
the certification exam, candidates must complete the Indexer Cluster Implementation Lab, the Distributed
Search Migration Lab, the Implementation Fundamentals Lab, the Architect Implementation Labs (1-3), as well
as the Services: Core Implementation course. For a full list of exam eligibility requirements, please refer to the
Splunk Core Certified Consultant track flowchart.

The following content areas are general guidelines for the content to be included on the exam:
● Splunk Validated Architectures
● Monitoring Console configuration
● Authentication Protocols
Prerequisite Certification(s): ● Splunk to Splunk (S2S) Communication
● Data Inputs
● Splunk Core Certified Power User ● Forwarder Types
● HEC Tokens
● Splunk Core Certified Advanced Power User
● Fishbucket Records
● Splunk Enterprise Certified Admin ● Pretrained Sourcetypes
● Splunk Enterprise Certified Architect ● Indexing Buckets
● Event Processing
Prerequisite Course(s): ● Indexing Intervals
● Data Retention
● Search Head Dispatch
● Core Consultant Labs ● Sub-searches
● Services: Core Implementation ● Deployment Apps
● Deployment Server
Recommended Next Steps: ● Indexer Clustering
● Upgrading an Indexer Cluster
● Indexer Cluster Failure Modes
● None
● Multi-site Clustering
● Indexer Migration
● Search Head Clustering

Looking for more details? Review the test blueprint here.

 © 2023 SPLUNK INC.

Splunk Enterprise Security Certified Admin

What’s on the Exam?
This app-specific certification exam is an 57-minute, 48-question assessment which evaluates a candidate’s
knowledge and skills in the installation, configuration, and management of Splunk Enterprise Security.
Candidates can expect an additional 3 minutes to review the exam agreement, for a total seat time of 60
minutes. It is recommended that candidates for this certification complete the lecture, hands-on labs, and
quizzes that are part of the Administering Splunk Enterprise Security course, in order to be prepared for the
certification exam.

The Administering Splunk Enterprise Security course focuses on Administrators who manage a Splunk Enterprise
Prerequisite Certification(s):
Security environment, including ES event processing and normalization, deployment requirements, technology
● None add-ons, settings, risk analysis settings, threat intelligence and protocol intelligence configuration, and
customizations.
Prerequisite Course(s):
The following content areas are general guidelines for the content to be included on the exam:
● None
● Identifying normal ES use cases
Recommended Next Steps: ● Examining deployment requirements for typical ES installs
● Knowing how to install ES and gather information for lookups
● Splunk SOAR Certified Automation
● Knowing the steps to setting up inputs using technology add-ons
Developer
● Creating custom correlation searches
● Configuring ES risk analysis, threat, and protocol intelligence
● Fine tuning ES settings and other customizations

Looking for more details? Review the test blueprint here.

 © 2023 SPLUNK INC.

Splunk Enterprise Security Certified Admin

Sample Questions

1. When is it appropriate to use Auto Deployment on Splunk_TA_ForIndexersin a distributed search

configuration?
a. When the indexers are clustered.
b. When there are multiple indexers with the same retention settings.
c. When there are multiple indexers with the same storage volume settings.
d. When there are multiple indexers with different volume and retention settings.

2. In order for ES to automatically take an action upon locating a particular event, what can a correlation search be
configured to execute?
a. Action script
b. Activation prompt
c. Adaptive response
d. Integration script

3. When creating a correlation search, which command will generate a notable event if the risk score for any one host
is greater than 100?
a. | where 'risk_score' > 100
b. | eval risk_score > 100
c. | sum(host)risk_score > 100
d. | All_Risk.risk_score > 100
 © 2023 SPLUNK INC.

Splunk Enterprise Security Certified Admin

Answer Key

1. When is it appropriate to use Auto Deployment on Splunk_TA_ForIndexersin a distributed search

configuration?
a. When the indexers are clustered.
b. When there are multiple indexers with the same retention settings.
c. When there are multiple indexers with the same storage volume settings.
d. When there are multiple indexers with different volume and retention settings.

2. In order for ES to automatically take an action upon locating a particular event, what can a correlation search be
configured to execute?
a. Action script
b. Activation prompt
c. Adaptive response
d. Integration script

3. When creating a correlation search, which command will generate a notable event if the risk score for any one host
is greater than 100?
a. | where 'risk_score' > 100
b. | eval risk_score > 100
c. | sum(host)risk_score > 100
d. | All_Risk.risk_score > 100
 © 2023 SPLUNK INC.

Splunk IT Service Intelligence Certified Admin

What’s on the Exam?
This app-specific certification exam is a 57-minute, 53-question assessment which evaluates a candidate’s
knowledge and skills of the installation and configuration of Splunk's app for IT Service Intelligence (ITSI).
Candidates can expect an additional 3 minutes to review the exam agreement, for a total seat time of 60
minutes. It is recommended that candidates for this certification complete the lecture, hands-on labs, and
quizzes that are part of the Implementing IT Service Intelligence course in order to be prepared for the
certification exam.

The Implementing ITSI course focuses on the use of ITSI to monitor mission-critical services. Major topics include
Prerequisite Certification(s):
ITSI architecture, deployment planning, installation, service design and implementation, configuring entities,
● None notable events, and developing glass tables and deep dives.

Prerequisite Course(s): The following content areas are general guidelines for the content to be included on the exam:

● None ● ITSI architecture and deployment

● Installing ITSI
Recommended Next Steps: ● Designing Services - discovery and best practices
● Implementing services and entities
● None
● Configuring correlation searches and multi KPI alerts
● Managing aggregation policies and anomaly detection
● Troubleshooting and maintenance

Looking for more details? Review the test blueprint here.

 © 2023 SPLUNK INC.

Splunk IT Service Intelligence Certified Admin

Sample Questions

1. Which of the following accurately describes an individual notable event?

a. It is immutable.
b. It can be cloned.
c. It can have its status changed.
d. It can be assigned to an analyst.

2. Which of the following is an adaptive threshold best practice?

a. Use if there is no consistent flow of data.
b. Disable backfill on adaptive threshold data.
c. Use when KPI values are expected to move dynamically.
d. Update adaptive threshold values manually each day at midnight.

3. Within a correlation search, how can a service be associated?

a. By using lookup in the ad hoc search.
b. By modifying correlation_searches.conf
c. By specifying an appropriate time range.
d. By adding the service name to the service field.
 © 2023 SPLUNK INC.

Splunk IT Service Intelligence Certified Admin

Answer Key

1. Which of the following accurately describes an individual notable event?

a. It is immutable.
b. It can be cloned.
c. It can have its status changed.
d. It can be assigned to an analyst.

2. Which of the following is an adaptive threshold best practice?

a. Use if there is no consistent flow of data.
b. Disable backfill on adaptive threshold data.
c. Use when KPI values are expected to move dynamically.
d. Update adaptive threshold values manually each day at midnight.

3. Within a correlation search, how can a service be associated?

a. By using lookup in the ad hoc search.
b. By modifying correlation_searches.conf
c. By specifying an appropriate time range.
d. By adding the service name to the service field.
 Splunk SOAR Certified Automation Developer
© 2023 SPLUNK INC.

What’s on the Exam?

This highly technical certification exam is a 57-minute, 45-question assessment which evaluates a candidate’s knowledge and skills in
installing and configuring a SOAR server and integrating it with Splunk, as well as planning, designing, creating, and debugging playbooks.
Candidates can expect an additional 3 minutes to review the exam agreement, for a total seat time of 60 minutes. It is recommended that
candidates for this certification complete the lecture, hands-on labs, and quizzes that are part of the Administering Splunk SOAR,
Investigating Splunk Incidents with SOAR, Developing SOAR Playbooks, and Advanced SOAR Implementation courses in order to be prepared
for the certification exam. Formerly referred to as Splunk Phantom Certified Admin.

The following content areas are general guidelines for the content to be included on the exam.
● Installation/Initial configuration
● Apps and assets
● User management
● Ingesting data
● Events and containers
● Mission control
Prerequisite Certification(s): ● Running actions and playbooks
● Case management/workflows
● None ● Multi-tenacity
● Clustering
Prerequisite Course(s): ● Automation best practices
● The visual playbook editor
● None
● Using actions and decisions
● Using action results
Recommended Next Steps:
● Testing and debugging playbooks
● Using interaction
● None
● Output formatting
● Complex logic
● Interacting with artifacts
● Using the vault in a playbook
● Custom lists
● Integrating Splunk with SOAR (Phantom)

Review the test blueprint here.

 © 2023 SPLUNK INC.

Splunk O11y Cloud Certified Metrics User

What’s on the Exam?
This foundational-level certification exam is a 60-minute, 54-question assessment which
evaluates a candidate’s knowledge and skills to skill sets in monitoring and investigating
issues using Splunk Observability Cloud. This certification exam evaluates an individual’s
ability to monitor using built-in content, deploy and configure the OpenTelemetry Collector to
send in metrics, visualize metrics, find insights using analytics, and set up alerts to monitor
development environments in real time.

Splunk O11y Cloud Certified Metrics User is a recommended foundational-level certification

Prerequisite Certification(s): track for all candidates in the observability/DevOps/SRE arena.

● None Candidates may reference the Splunk How-To YouTube Channel, Splunk Docs, and draw
from their own Splunk experience. The following is a suggested and non-exhaustive list of
Prerequisite Course(s):
training from our Course Catalog that may cover topics listed in the exam blueprint:
● None
❏ Getting Data into Splunk Observability Cloud
Recommended Next Steps: ❏ Introduction to Splunk Observability
❏ Introduction to Splunk Infrastructure Monitoring
● Splunk Core Certified Power User
❏ Splunk Observability Cloud Teams
● Splunk SOAR Certified
❏ Splunk Observability Cloud Enterprise Features
Automation Developer
❏ Fundamentals of Metrics Monitoring in Splunk Observability
● Splunk IT Service Intelligence
❏ Kubernetes Monitoring with Splunk Observability Cloud
Certified Administrator
❏ Visualizing and Alerting in Splunk Observability Cloud
 © 2023 SPLUNK INC.

Splunk Certified Cybersecurity Defense

Analyst
What’s on the Exam?
This intermediate-level certification exam is a 75-minute, 66-question assessment which establishes a
standard for users of Splunk Enterprise and Enterprise Security who wish to be certified as
cybersecurity professionals. With this certification, you will be able to demonstrate knowledge critical to
detecting, analyzing and combating cyber threats. Help protect businesses and mitigate risk, while
managing vulnerabilities and threats using common types of cyber defense systems. Splunk Certified
Cybersecurity Defense Analyst is a recommended certification track for all candidates in the
cybersecurity/SOC analyst arena.

Candidates may reference the Splunk How-To YouTube Channel, Splunk Docs, Splunk Boss of the
Prerequisite Certification(s):
SOC (BOTS) Blog, and draw from their own Splunk experience. The following is a suggested and
non-exhaustive list of training from our Course Catalog that may cover topics listed in the exam
● None - it’s recommended to have
blueprint:
Power User Level Knowledge of
Splunk Enterprise.
❏ The Cybersecurity Landscape
❏ Understanding Threats and Attacks
Prerequisite Course(s):
❏ Security Operations and the Defense Analyst
● None ❏ Data and Tools for Defense Analysts
❏ Intro to Splunk
Recommended Next Steps: ❏ Search Under the Hood
❏ Data Models
● SOC administrator learning path
❏ Using Splunk Enterprise Security
● Splunk Enterprise Security
❏ Introduction to Splunk Security Essentials
Certified Admin