© 2022 SPLUNK INC.

Splunk
Certification
Certification Exam Study Guide
 © 2022 SPLUNK INC.

Splunk Certification
Quick Link References
COVID-19 Exam Delivery Updates can be found here.

Splunk Certification Splunk Certification Exam Registration Online Proctored Contact Pearson VUE
Candidate Handbook Exam Agreement Tutorial Delivery Overview Support

Everything you need to All candidates must Step-by-step exam What to expect when Pearson VUE
know about the Splunk review and agree to registration assistance taking a Splunk registration
Certification program. this policy in-full prior to with detailed Certification exam via troubleshooting,
accessing a Splunk screenshots of the online proctor. account issues, or
Certification Exam. registration process. exam delivery issues.
 © 2022 SPLUNK INC.

Splunk
Certification • Splunk Core Certified User

Exams •
•
Splunk Core Certified Power User
Splunk Core Certified Advanced Power User
Table of Contents • Splunk Cloud Certified Admin

Please note: Sample questions (where • Splunk Enterprise Certified Admin

available) are provided to give candidates a • Splunk Enterprise Certified Architect
general idea of the formatting and type of
questions for each of the exams listed above. • Splunk Core Certified Consultant
The test blueprints provide much more detailed
information regarding exam content. • Splunk Certified Developer
• Splunk ES Certified Admin
Candidate performance on these questions in
• Splunk ITSI Certified Admin
no way guarantees performance or passing
marks on the certification exam(s). • Splunk SOAR Certified Automation Developer
• Splunk O11y Cloud Certified Metrics User
• Splunk Certified Cybersecurity Defense Analyst
 © 2022 SPLUNK INC.

Splunk Core Certified User

What’s on the Exam?
This entry-level certification exam is a 57-minute, 60-question assessment which evaluates a
candidate’s knowledge and skills to search, use fields, create alerts, use lookups, and create basic
statistical reports and dashboards. Candidates can expect an additional 3 minutes to review the exam
agreement, for a total seat time of 60 minutes.

Splunk Core Certified User is a recommended entry-level certification track for all candidates.

We recommend exam candidates complete the following courses:

Prerequisite Certification(s): ❏ Intro to Splunk

❏ Using Fields
● None
❏ Scheduling Reports and Alerts
Prerequisite Course(s): ❏ Visualizations
❏ Working with Time
● None ❏ Statistical Processing
❏ Leveraging Lookups and Subsearches
Recommended Next Steps:
❏ Search Optimization
● Splunk Core Certified Power
Looking for more details? Review the test blueprint here.
User
 © 2022 SPLUNK INC.

Splunk Core Certified User

Sample Questions

1. Which of the following is a main processing component of basic Splunk architecture?

a. Indexer
b. Load balancer
c. License master
d. Deployment server

2. According to Splunk best practices, which of the following searches is most efficient if we are interested in searching
the Windows Security Event Log for failures?
a. status=failure
b. index=oswinsec sourcetype=WinEventLog:Security status=failure
c. index=oswinsec sourcetype=WinEventLog:* status=failure
d. index=oswinsec failure

3. Which search command calculates statistics based on fields in the events?

a. top
b. rare
c. stats
d. fields
 © 2022 SPLUNK INC.

Splunk Core Certified User

Answer Key

1. Which of the following is a main processing component of basic Splunk architecture?

a. Indexer
b. Load balancer
c. License master
d. Deployment server

2. According to Splunk best practices, which of the following searches is most efficient if we are interested in searching
the Windows Security Event Log for failures?
a. status=failure
b. index=oswinsec sourcetype=WinEventLog:Security status=failure
c. index=oswinsec sourcetype=WinEventLog:* status=failure
d. index=oswinsec failure

3. Which search command calculates statistics based on fields in the events?

a. top
b. rare
c. stats
d. fields
 © 2022 SPLUNK INC.

Splunk Core Certified Power User

What’s on the Exam?
This next-level certification exam is a 57-minute, 65-question assessment which evaluates a
candidate’s knowledge and skills of field aliases and calculated fields, creating tags and event types,
using macros, creating workflow actions and data models, and normalizing data with the CIM.
Candidates can expect an additional 3 minutes to review the exam agreement, for a total seat time of
60 minutes.

In order to be prepared for the certification exam, Splunk recommends completing the following
courses:
Prerequisite Certification(s):
❏ Working with Time
● None
❏ Statistical Processing
Prerequisite Course(s): ❏ Comparing Values
❏ Result Modification
● None
❏ Correlation Analysis
Recommended Next Steps: ❏ Creating Knowledge Objects
❏ Creating Field Extractions
● Splunk Core Certified ❏ Data Models
Advanced Power User
● Splunk Enterprise Certified Looking for more details? Review the test blueprint here.
Admin
● Splunk Cloud Certified
Admin
 © 2022 SPLUNK INC.

Splunk Core Certified Power User

Sample Questions

1. Which command is used only to create a time series visualization?

a. _time
b. chart
c. timechart
d. timeseries

2. Which of the following statements describe field aliases? (select all that apply)
a. Field aliases are applied after lookups.
b. Field aliases are applied before lookups.
c. Field aliases can be applied to lookups.
d. The original field is not replaced by the field alias.

3. What action type is used when creating a POST workflow action?

a. Web
b. Link
c. HTTP
d. HTTPS
 © 2022 SPLUNK INC.

Splunk Core Certified Power User

Answer Key

1. Which command is used only to create a time series visualization?

a. _time
b. chart
c. timechart
d. timeseries

2. Which of the following statements describe field aliases? (Select all that apply)
a. Field aliases are applied after lookups.
b. Field aliases are applied before lookups.
c. Field aliases can be applied to lookups.
d. The original field is not replaced by the field alias.

3. What action type is used when creating a POST workflow action?

a. Web
b. Link
c. HTTP
d. HTTPS
 © 2022 SPLUNK INC.

Splunk Core Certified Advanced Power User

What’s on the Exam?
This advanced certification exam is a 57-minute, 70-question assessment which evaluates a candidate’s knowledge
and skills in more advanced searching and reporting commands, advanced use cases of knowledge objects, and
best practices for building dashboards and forms. Candidates can expect an additional 3 minutes to review the exam
agreement, for a total seat time of 60 minutes.

In order to be prepared for the certification exam, Splunk recommends completed the following courses:

❏ Using Fields
❏ Working with Time
Prerequisite Certification(s): ❏ Comparing Values
❏ Result Modification
● Splunk Core Certified Power User ❏ Leveraging Lookups and Subsearches
❏ Correlation Analysis
Prerequisite Course(s): ❏ Multivalue Fields
❏ Search Optimization
● None ❏ Creating Knowledge Objects
❏ Creating Field Extractions
Recommended Next Steps:
❏ Enriching Data with Lookups
❏ Data Models
● Splunk Certified Developer
❏ Introduction to Dashboards
● Splunk Enterprise Certified Admin ❏ Dynamic Dashboards
● Splunk Cloud Certified Admin
Looking for more details? Review the test blueprint here.
 © 2022 SPLUNK INC.

Splunk Cloud Certified Admin

What’s on the Exam?
This upper-level certification exam is a 72-minute, 60-question assessment which evaluates a
candidate’s knowledge and skills in best practices and configuration details for Splunk Cloud, including
data inputs and forwarder configuration, data management, user accounts, and basic monitoring and
problem isolation. Candidates can expect an additional 3 minutes to review the exam agreement, for a
total seat time of 75 minutes. It is recommended that candidates for this certification complete the
lecture, hands-on labs, and quizzes that are part of the Splunk Cloud Administration or Transitioning to
Splunk Cloud course in order to be prepared for the certification exam.

Prerequisite Certification(s): The following content areas are general guidelines for the content to be included on the exam:
● Splunk Core Certified Power User
● Splunk Cloud overview
Prerequisite Course(s): ● Splunk index management
● Users, roles, and authentication
● None ● Splunk configuration files
● Universal forwarder
Recommended Next Steps: ● Forwarder management
● Data inputs in detail
● Splunk Certified Developer
● Event parsing with data preview
● Splunk ES Certified Admin
● Manipulating raw data
● Splunk ITSI Certified Admin
● Installing apps
● Splunk SOAR Certified
● Problem isolation and Splunk Cloud support
Automation Developer

Looking for more details? Review the test blueprint here.

 © 2022 SPLUNK INC.

Splunk Enterprise Certified Admin

What’s on the Exam?
This upper-level certification exam is a 57-minute, 56-question assessment which evaluates a
candidate’s knowledge and skills to manage various components of Splunk on a daily basis, including
the health of the Splunk installation. Candidates can expect an additional 3 minutes to review the exam
agreement, for a total seat time of 60 minutes. It is recommended that candidates for this certification
complete the lecture, hands-on labs, and quizzes that are part of the Splunk Enterprise System
Administration and Splunk Enterprise Data Administration courses in order to be prepared for the
certification exam.
Prerequisite Certification(s):
The following content areas are general guidelines for the content to be included on the exam:
● Splunk Core Certified Power User
● Splunk deployment overview
Prerequisite Course(s):
● License management
● None ● Splunk apps
● Splunk configuration files
Recommended Next Steps: ● Users, roles, and authentication
● Getting data in
● Splunk Certified Developer ● Distributed search
● Splunk Enterprise Certified Architect ● Introduction to Splunk clusters
● Splunk ES Certified Admin ● Deploy forwarders with Forwarder Management
● Splunk ITSI Certified Admin ● Configure common Splunk data inputs
● Splunk SOAR Certified Automation ● Customize the input parsing process
Developer
Looking for more details? Review the test blueprint here.
 © 2022 SPLUNK INC.

Splunk Enterprise Certified Admin

Sample Questions

1. Which Splunk component receives, indexes, and stores incoming data from forwarders?
a. Indexer
b. Search head
c. Cluster master
d. Deployment server

2. Which license type allows 500MB/day of indexing, but disables alerts, authentication, cluster, distributed search,
summarization, and forwarding to non-Splunk servers?
a. Free license
b. Forwarder license
c. Enterprise license
d. Enterprise trial license

3. What can be used when setting the host field option on a network input? (select all that apply)
a. IP
b. DNS
c. A binary file
d. Custom (explicit value)
 © 2022 SPLUNK INC.

Splunk Enterprise Certified Admin

Answer Key

1. Which Splunk component receives, indexes, and stores incoming data from forwarders?
a. Indexer
b. Search head
c. Cluster master
d. Deployment server

2. Which license type allows 500MB/day of indexing, but disables alerts, authentication, cluster, distributed search,
summarization, and forwarding to non-Splunk servers?
a. Free license
b. Forwarder license
c. Enterprise license
d. Enterprise trial license

3. What can be used when setting the host field option on a network input? (select all that apply)
a. IP
b. DNS
c. A binary file
d. Custom (explicit value)
 © 2022 SPLUNK INC.

Splunk Enterprise Certified Architect

What’s on the Exam?
This highly technical certification exam is an 87-minute, 85-question assessment which evaluates a candidate’s
knowledge and skills in Splunk Deployment Methodology and best-practices for planning, data collection, and sizing,
managing, and troubleshooting a standard with indexer and search head clustering. Candidates can expect an
additional 3 minutes to review the exam agreement, for a total seat time of 90 minutes. Candidates for this
certification must complete the lecture, hands-on labs, and quizzes that are part of the Architecting Splunk
Enterprise Deployments, Troubleshooting Splunk Enterprise, and Splunk Enterprise Cluster Administration courses,
as well as the Splunk Enterprise Deployment Practical Lab in order to be eligible for the certification exam.

The following content areas are general guidelines for the content to be included on the exam:

● Requirements definition
● Index and infrastructure planning
Prerequisite Certification(s): ● Clustering Overview
● Forwarder and Deployment
● Splunk Core Certified Power User ● Integration
● Splunk Enterprise Certified Admin ● Splunk Support model
● Splunk troubleshooting methods and tools
Prerequisite Course(s): ● Clarifying the problem, installation, licensing, and crash problems
● UI and search problems
● Architecting Splunk Enterprise ● Configuration problems
● Deployment problems
Deployments
● User management problems
● Troubleshooting Splunk Enterprise
● Large-scale Splunk deployment overview
● Splunk Cluster Administration ● Single-site (high-availability) indexer cluster, multi-site (disaster-recovery) indexer cluster
● Splunk Deployment Practical Lab ● Indexer cluster management and administration
● Indexer discovery forwarder configuration
Recommended Next Steps: ● Search head cluster
● Search head cluster management and administration
● Splunk Core Certified Consultant ● KV Store collection and lookup management

Looking for more details? Review the test blueprint here.

 © 2022 SPLUNK INC.

Splunk Enterprise Certified Architect

Sample Questions

1. Search mode is a setting that optimizes search performance by controlling the amount or type of data that the
search returns. Which of the following are valid search mode settings? (select all that apply)
a. Fast
b. Smart
c. Verbose
d. Transform

2. By default, what is the retention period for the Splunk _audit index?
a. 14 days
b. 30 days
c. 90 days
d. 6 years

3. All Splunk users are unable to run searches. A legacy license file is suspected to have caused the issue. Which
Splunk log component could be used to clarify and confirm the issue?
a. Metrics
b. LMStackMgr
c. ServerConfig
d. SearchProcessRunner
 © 2022 SPLUNK INC.

Splunk Enterprise Certified Architect

Answer Key

1. Search mode is a setting that optimizes search performance by controlling the amount or type of data that the
search returns. Which of the following are valid search mode settings? (select all that apply)
a. Fast
b. Smart
c. Verbose
d. Transform

2. By default, what is the retention period for the Splunk _audit index?
a. 14 days
b. 30 days
c. 90 days
d. 6 years

3. All Splunk users are unable to run searches. A legacy license file is suspected to have caused the issue. Which
Splunk log component could be used to clarify and confirm the issue?
a. Metrics
b. LMStackMgr
c. ServerConfig
d. SearchProcessRunner
 Splunk Core Certified Consultant © 2022 SPLUNK INC.

What’s on the Exam?

This highly technical certification exam is a 117-minute, 86-question assessment which evaluates a candidate’s
knowledge and skills in Splunk Deployment Methodology and best-practices for planning, data collection, and
sizing, managing, and troubleshooting a standard with indexer and search head clustering. Candidates can
expect an additional 3 minutes to review the exam agreement, for a total seat time of 120 minutes. To qualify for
the certification exam, candidates must complete the Indexer Cluster Implementation Lab, the Distributed
Search Migration Lab, the Implementation Fundamentals Lab, the Architect Implementation Labs (1-3), as well
as the Services: Core Implementation course. For a full list of exam eligibility requirements, please refer to the
Splunk Core Certified Consultant track flowchart.

The following content areas are general guidelines for the content to be included on the exam:
● Splunk Validated Architectures
● Monitoring Console configuration
● Authentication Protocols
Prerequisite Certification(s): ● Splunk to Splunk (S2S) Communication
● Data Inputs
● Splunk Core Certified Power User ● Forwarder Types
● HEC Tokens
● Splunk Core Certified Advanced Power User
● Fishbucket Records
● Splunk Enterprise Certified Admin ● Pretrained Sourcetypes
● Splunk Enterprise Certified Architect ● Indexing Buckets
● Event Processing
Prerequisite Course(s): ● Indexing Intervals
● Data Retention
● Search Head Dispatch
● Core Consultant Labs ● Sub-searches
● Services: Core Implementation ● Deployment Apps
● Deployment Server
Recommended Next Steps: ● Indexer Clustering
● Upgrading an Indexer Cluster
● Indexer Cluster Failure Modes
● None
● Multi-site Clustering
● Indexer Migration
● Search Head Clustering

Looking for more details? Review the test blueprint here.

 © 2022 SPLUNK INC.

Splunk Certified Developer

What’s on the Exam?
This upper-level certification exam is a 57-minute, 50-question assessment which evaluates a candidate’s
knowledge and skills to manage various components of Splunk on a daily basis, including the health of the Splunk
installation. Candidates can expect an additional 3 minutes to review the exam agreement, for a total seat time of 60
minutes. It is recommended that candidates for this certification complete the lecture, hands-on labs, and quizzes
that are part of the Splunk Enterprise System Administration and Splunk Enterprise Data Administration courses in
order to be prepared for the certification exam. It is recommended that candidates for this certification complete the
lecture, hands-on labs, and quizzes that are part of the Creating Classic Dashboards with Splunk, Advanced
Dashboards & Visualizations, Building Splunk Apps, and Developing with Splunk’s REST API courses in order to be
prepared for the certification exam.

The following content areas are general guidelines for the content to be included on the exam:
Prerequisite Certification(s):
● Splunk deployment overview
● Splunk Core Certified Power User ● License management
● Splunk Enterprise Certified Admin ● Splunk apps
● Splunk configuration files
Prerequisite Course(s): ● Users, roles, and authentication
● Getting data in
● None ● Distributed search
● Introduction to Splunk clusters
Recommended Next Steps: ● Deploy forwarders with Forwarder Management
● Configure common Splunk data inputs
● None ● Customize the input parsing process

Looking for more details? Review the test blueprint here.

 © 2022 SPLUNK INC.

Splunk Certified Developer

Sample Questions

1. What is a global search?

a. A scheduled search or report shared for use in multiple dashboards.
b. A search with tokens that have defaults set to all indexes or sources.
c. An inline search or report on a dashboard to provide input for post-process searches.
d. A single base search with post-process searches that populate all panels on a dashboard.

2. Simple XML extensions can be used for which of the following file types?
a. JS, CSS
b. CSS, EXE
c. JS, CSS, DOC
d. CSS, HTML, JS

3. To stop a search job with a sid of 1519670895.34, which REST request should be used?
a. /services/search/jobs/1519670895.34/command -d action=stop
b. /services/search/jobs/1519670895.34/command -d action=remove
c. /services/search/jobs/1519670895.34/control -d action=cancel
d. /services/search/jobs/1519670895.34/control -d action=delete
 © 2022 SPLUNK INC.

Splunk Certified Developer

Answer Key

1. What is a global search?

a. A scheduled search or report shared for use in multiple dashboards.
b. A search with tokens that have defaults set to all indexes or sources.
c. An inline search or report on a dashboard to provide input for post-process searches.
d. A single base search with post-process searches that populate all panels on a dashboard.

2. Simple XML extensions can be used for which of the following file types?
a. JS, CSS
b. CSS, EXE
c. JS, CSS, DOC
d. CSS, HTML, JS

3. To stop a search job with a sid of 1519670895.34, which REST request should be used?
a. /services/search/jobs/1519670895.34/command -d action=stop
b. /services/search/jobs/1519670895.34/command -d action=remove
c. /services/search/jobs/1519670895.34/control -d action=cancel
d. /services/search/jobs/1519670895.34/control -d action=delete
 © 2022 SPLUNK INC.

Splunk Enterprise Security Certified Admin

What’s on the Exam?
This app-specific certification exam is an 57-minute, 61-question assessment which evaluates a candidate’s
knowledge and skills in the installation, configuration, and management of Splunk Enterprise Security.
Candidates can expect an additional 3 minutes to review the exam agreement, for a total seat time of 60
minutes. It is recommended that candidates for this certification complete the lecture, hands-on labs, and
quizzes that are part of the Administering Splunk Enterprise Security course, in order to be prepared for the
certification exam.

The Administering Splunk Enterprise Security course focuses on Administrators who manage a Splunk Enterprise
Prerequisite Certification(s):
Security environment, including ES event processing and normalization, deployment requirements, technology
● None add-ons, settings, risk analysis settings, threat intelligence and protocol intelligence configuration, and
customizations.
Prerequisite Course(s):
The following content areas are general guidelines for the content to be included on the exam:
● None
● Identifying normal ES use cases
Recommended Next Steps: ● Examining deployment requirements for typical ES installs
● Knowing how to install ES and gather information for lookups
● Splunk SOAR Certified Automation
● Knowing the steps to setting up inputs using technology add-ons
Developer
● Creating custom correlation searches
● Configuring ES risk analysis, threat, and protocol intelligence
● Fine tuning ES settings and other customizations

Looking for more details? Review the test blueprint here.

 © 2022 SPLUNK INC.

Splunk Enterprise Security Certified Admin

Sample Questions

1. When is it appropriate to use Auto Deployment on Splunk_TA_ForIndexersin a distributed search

configuration?
a. When the indexers are clustered.
b. When there are multiple indexers with the same retention settings.
c. When there are multiple indexers with the same storage volume settings.
d. When there are multiple indexers with different volume and retention settings.

2. In order for ES to automatically take an action upon locating a particular event, what can a correlation search be
configured to execute?
a. Action script
b. Activation prompt
c. Adaptive response
d. Integration script

3. When creating a correlation search, which command will generate a notable event if the risk score for any one host
is greater than 100?
a. | where 'risk_score' > 100
b. | eval risk_score > 100
c. | sum(host)risk_score > 100
d. | All_Risk.risk_score > 100
 © 2022 SPLUNK INC.

Splunk Enterprise Security Certified Admin

Answer Key

1. When is it appropriate to use Auto Deployment on Splunk_TA_ForIndexersin a distributed search

configuration?
a. When the indexers are clustered.
b. When there are multiple indexers with the same retention settings.
c. When there are multiple indexers with the same storage volume settings.
d. When there are multiple indexers with different volume and retention settings.

2. In order for ES to automatically take an action upon locating a particular event, what can a correlation search be
configured to execute?
a. Action script
b. Activation prompt
c. Adaptive response
d. Integration script

3. When creating a correlation search, which command will generate a notable event if the risk score for any one host
is greater than 100?
a. | where 'risk_score' > 100
b. | eval risk_score > 100
c. | sum(host)risk_score > 100
d. | All_Risk.risk_score > 100
 © 2022 SPLUNK INC.

Splunk IT Service Intelligence Certified Admin

What’s on the Exam?
This app-specific certification exam is a 57-minute, 53-question assessment which evaluates a candidate’s
knowledge and skills of the installation and configuration of Splunk's app for IT Service Intelligence (ITSI).
Candidates can expect an additional 3 minutes to review the exam agreement, for a total seat time of 60
minutes. It is recommended that candidates for this certification complete the lecture, hands-on labs, and
quizzes that are part of the Implementing IT Service Intelligence course in order to be prepared for the
certification exam.

The Implementing ITSI course focuses on the use of ITSI to monitor mission-critical services. Major topics include
Prerequisite Certification(s):
ITSI architecture, deployment planning, installation, service design and implementation, configuring entities,
● None notable events, and developing glass tables and deep dives.

Prerequisite Course(s): The following content areas are general guidelines for the content to be included on the exam:

● None ● ITSI architecture and deployment

● Installing ITSI
Recommended Next Steps: ● Designing Services - discovery and best practices
● Implementing services and entities
● None
● Configuring correlation searches and multi KPI alerts
● Managing aggregation policies and anomaly detection
● Troubleshooting and maintenance

Looking for more details? Review the test blueprint here.

 © 2022 SPLUNK INC.

Splunk IT Service Intelligence Certified Admin

Sample Questions

1. Which of the following accurately describes an individual notable event?

a. It is immutable.
b. It can be cloned.
c. It can have its status changed.
d. It can be assigned to an analyst.

2. Which of the following is an adaptive threshold best practice?

a. Use if there is no consistent flow of data.
b. Disable backfill on adaptive threshold data.
c. Use when KPI values are expected to move dynamically.
d. Update adaptive threshold values manually each day at midnight.

3. Within a correlation search, how can a service be associated?

a. By using lookup in the ad hoc search.
b. By modifying correlation_searches.conf
c. By specifying an appropriate time range.
d. By adding the service name to the service field.
 © 2022 SPLUNK INC.

Splunk IT Service Intelligence Certified Admin

Answer Key

1. Which of the following accurately describes an individual notable event?

a. It is immutable.
b. It can be cloned.
c. It can have its status changed.
d. It can be assigned to an analyst.

2. Which of the following is an adaptive threshold best practice?

a. Use if there is no consistent flow of data.
b. Disable backfill on adaptive threshold data.
c. Use when KPI values are expected to move dynamically.
d. Update adaptive threshold values manually each day at midnight.

3. Within a correlation search, how can a service be associated?

a. By using lookup in the ad hoc search.
b. By modifying correlation_searches.conf
c. By specifying an appropriate time range.
d. By adding the service name to the service field.
 Splunk SOAR Certified Automation Developer
© 2022 SPLUNK INC.

What’s on the Exam?

This highly technical certification exam is a 57-minute, 45-question assessment which evaluates a candidate’s knowledge and skills in
installing and configuring a SOAR server and integrating it with Splunk, as well as planning, designing, creating, and debugging playbooks.
Candidates can expect an additional 3 minutes to review the exam agreement, for a total seat time of 60 minutes. It is recommended that
candidates for this certification complete the lecture, hands-on labs, and quizzes that are part of the Administering Splunk SOAR,
Investigating Splunk Incidents with SOAR, Developing SOAR Playbooks, and Advanced SOAR Implementation courses in order to be prepared
for the certification exam. Formerly referred to as Splunk Phantom Certified Admin.

The following content areas are general guidelines for the content to be included on the exam.
● Installation/Initial configuration
● Apps and assets
● User management
● Ingesting data
● Events and containers
● Mission control
Prerequisite Certification(s): ● Running actions and playbooks
● Case management/workflows
● None ● Multi-tenacity
● Clustering
Prerequisite Course(s): ● Automation best practices
● The visual playbook editor
● None
● Using actions and decisions
● Using action results
Recommended Next Steps:
● Testing and debugging playbooks
● Using interaction
● None
● Output formatting
● Complex logic
● Interacting with artifacts
● Using the vault in a playbook
● Custom lists
● Integrating Splunk with SOAR (Phantom)

Review the test blueprint here.

 © 2022 SPLUNK INC.

Splunk O11y Cloud Certified Metrics User

What’s on the Exam?
This foundational-level certification exam is a 120-minute, 100-question assessment which
evaluates a candidate’s knowledge and skills to skill sets in monitoring and investigating
issues using Splunk Observability Cloud. This certification exam evaluates an individual’s
ability to monitor using built-in content, deploy and configure the OpenTelemetry Collector to
send in metrics, visualize metrics, find insights using analytics, and set up alerts to monitor
development environments in real time.

Splunk O11y Cloud Certified Metrics User is a recommended foundational-level certification

Prerequisite Certification(s): track for all candidates in the observability/DevOps/SRE arena.

● None Candidates may reference the Splunk How-To YouTube Channel, Splunk Docs, and draw
from their own Splunk experience. The following is a suggested and non-exhaustive list of
Prerequisite Course(s):
training from our Course Catalog that may cover topics listed in the exam blueprint:
● None
❏ Getting Data into Splunk Observability Cloud
Recommended Next Steps: ❏ Introduction to Splunk Observability
❏ Introduction to Splunk Infrastructure Monitoring
● Splunk Core Certified Power User
❏ Splunk Observability Cloud Teams
● Splunk SOAR Certified
❏ Splunk Observability Cloud Enterprise Features
Automation Developer
❏ Fundamentals of Metrics Monitoring in Splunk Observability
● Splunk IT Service Intelligence
❏ Kubernetes Monitoring with Splunk Observability Cloud
Certified Administrator
❏ Visualizing and Alerting in Splunk IM
 © 2022 SPLUNK INC.

Splunk Certified Cybersecurity Defense

Analyst - launching in beta at .conf23
What’s on the Exam?
This intermediate-level certification exam is a 75-minute, 60-question assessment which
establishes a standard for users of Splunk Enterprise and Enterprise Security who wish to be
certified as cybersecurity professionals. With this certification, you will be able to
demonstrate knowledge critical to detecting, analyzing and combating cyber threats. Help
protect businesses and mitigate risk, while managing vulnerabilities and threats using
common types of cyber defense systems. Splunk Certified Cybersecurity Defense Analyst is
a recommended certification track for all candidates in the cybersecurity/SOC analyst arena.

Prerequisite Certification(s): Candidates may reference the Splunk How-To YouTube Channel, Splunk Docs, Splunk Boss
of the SOC (BOTS) Blog, and draw from their own Splunk experience. The following is a
● None - it’s recommended to have suggested and non-exhaustive list of training from our Course Catalog that may cover topics
Power User Level Knowledge of listed in the exam blueprint:
Splunk Enterprise.
❏ Intro to Splunk
Prerequisite Course(s):
❏ Using Fields
● None ❏ Visualizations
❏ Search Under the Hood
Recommended Next Steps: ❏ Creating Knowledge Objects
● SOC administrator learning path ❏ Data Models
● Splunk Enterprise Security ❏ Introduction to Dashboards
Certified Admin ❏ Using Splunk Enterprise Security
❏ Introduction to Splunk Security Essentials