Prerequisites
Almost everyone that will register for the Splunk Architecture Certification exam will have done it through an employer sponsorship. Otherwise, it will become prohibitively expensive to take all the courses plus pay for exam.
In order to take the Architect exam you need to take and pass a series of courses before Splunk will even let you register for the exam. The following is a list of prereq's required.
- Using Splunk
- Searching and Reporting with Splunk
- Creating Splunk Knowledge Objects
- Splunk Administration
- Advanced Dashboards and Visualizations
- Architecting and Deploying Splunk
Through my previous Splunk experience, I was able to get some of the requirements waived and initially take Power User certification exam, having only taken the Creating Knowledge Objects course. The Power User certification was surprisingly difficult. However, you have 3 opportunities to take the exam. This is the same with the Splunk admin exam. These exams are free. However, given the limited stakes and ability to retake the exam 3 times, these certifications are not a good indication on skill level.
The most useful courses to prepare for the Architect exam are the following.
- Creating Splunk Knowledge Objects
- Splunk Administration
- Advanced Dashboards and Visualizations
Now onto the good stuff.
Architect exam
The Architect exam provides test takers up to 24 hours to complete the task. Most users will complete the exam in less than 24 hours. Nonetheless, it took me 24 hours to complete the exam. However, this includes time to eat, and a good nights sleep.
There is more than one way to do things in Splunk. This applies to the Splunk architect exam. It may not be 'best' practice or ideal, or the way you do things, but as long as it works you should be good. Keep in mind you only have 24 hours to complete the exam.
Quick and dirty is better than perfect because it allows you to maintain momentum and complete the exam. You may be used to doing it your way or best practices but sometimes it is okay to configure through the GUI and call it a day. Sometimes you do not need to parse all the fields but only those that are necessary to create your dashboard.
Preparing for the exam
Many test takers get stuck on the step where they need to script the install of universal forwarders. I recommend using an existing script or making one yourself and test it before the exam. During the exam, my initial script was hanging and I used a backup script to get through this step.
I did not do this. But it is also a good idea to setup a couple AWS or Azure instances and practice setting up a Splunk environment from the ground up using search heads, indexers and forwarders. Note: setup using bare instances which means no AMI's or pre-built instances.
Exam time
I found it extremely helpful and timesaving to manage access through SSH keys so I didn't have to type a password every time to log onto my instances.
The exam does NOT test clustering. So no need to setup search head clusters, or index clusters. You will however need to know how to setup peer distributed search aka >1 indexer.
There's no shame in doing things through the GUI, unless the exam specifically calls out for it. =)
I am accustomed to making adjustments directly in the .conf file and appifying those configs. However, done is better than perfect. I most likely could have saved a couple of hours had I followed this advice.
It is worth reserving an hour before the end time to go over everything to make sure you had all bases covered. Some parts are tricky and you can easily overlook something small like I did.
Summary
The most useful courses to prepare for the Architect exam are the following.
- Creating Splunk Knowledge Objects
- Splunk Administration
- Advanced Dashboards and Visualizations
Now onto the good stuff.
Architect exam
The Architect exam provides test takers up to 24 hours to complete the task. Most users will complete the exam in less than 24 hours. Nonetheless, it took me 24 hours to complete the exam. However, this includes time to eat, and a good nights sleep.
There is more than one way to do things in Splunk. This applies to the Splunk architect exam. It may not be 'best' practice or ideal, or the way you do things, but as long as it works you should be good. Keep in mind you only have 24 hours to complete the exam.
Quick and dirty is better than perfect because it allows you to maintain momentum and complete the exam. You may be used to doing it your way or best practices but sometimes it is okay to configure through the GUI and call it a day. Sometimes you do not need to parse all the fields but only those that are necessary to create your dashboard.
Preparing for the exam
Many test takers get stuck on the step where they need to script the install of universal forwarders. I recommend using an existing script or making one yourself and test it before the exam. During the exam, my initial script was hanging and I used a backup script to get through this step.
I did not do this. But it is also a good idea to setup a couple AWS or Azure instances and practice setting up a Splunk environment from the ground up using search heads, indexers and forwarders. Note: setup using bare instances which means no AMI's or pre-built instances.
Exam time
I found it extremely helpful and timesaving to manage access through SSH keys so I didn't have to type a password every time to log onto my instances.
The exam does NOT test clustering. So no need to setup search head clusters, or index clusters. You will however need to know how to setup peer distributed search aka >1 indexer.
There's no shame in doing things through the GUI, unless the exam specifically calls out for it. =)
I am accustomed to making adjustments directly in the .conf file and appifying those configs. However, done is better than perfect. I most likely could have saved a couple of hours had I followed this advice.
It is worth reserving an hour before the end time to go over everything to make sure you had all bases covered. Some parts are tricky and you can easily overlook something small like I did.
Summary
Overall, for those with hands-on experience with Splunk, I recommend going for the Architect certification. The exam truly tests your ability to setup a small Splunk environment and allows you to test and demonstrate your knowledge from installing, to search, to creating dashboards. If I had to redo the exam, I would have used the GUI more.
