Getting Started

Going Further

Wrap up, grab the cheat sheet, and pick your next workshop.

10 min Beginner Authors Splunk Workshop Team & Robert Castley wrap-upreference

You shipped a working Splunk install, ingested data, and turned raw events into a dashboard. The rest is repetition and depth. This page is your wrap-up: a video summary, a cheat sheet to take home, downloadable starter configs, and pointers to the workshops most people tackle next.

Where you are now #

You’ve completed three sessions: /hugo-theme-splunk-workshop/workshops/getting-started/01-introduction/ (the tour), /hugo-theme-splunk-workshop/workshops/getting-started/02-installation/ (your first install), and /hugo-theme-splunk-workshop/workshops/getting-started/03-first-search/ (SPL + dashboards). That’s the full beginner arc.

Throughout, you’ve been working against splunk> Workshop edition — a lightly-themed Splunk Enterprise build with our OpenTelemetry Collector pinned at version . The same SPL, the same UI, the same data model as production.

If you want a quick rule of thumb for when to use what : use SPL for ad-hoc investigations, dashboards for trend tracking, and alerts for anything you’d want to wake up about at 3am.

60-second recap #

A short video walkthrough that revisits the three workflows you just used end-to-end. Swap in your own workshop video by changing the YOUR_VIDEO_ID placeholder.

Architecture you just built #

The pipeline below is what your three sessions actually assembled, end to end — agent → ingest → search/alert. Worth a screenshot.

graph LR A[Hosts / Apps] -->|OTel SDK| B(OTel Collector) B -->|OTLP| C{Splunk Indexer} C --> D[Search Head] D --> E[Dashboards] D --> F[Alerts] D --> G[Reports]

Most production Splunk deployments look like this — same shape, more boxes.

The math behind your alerts #

Workshop alerts use a simple standard-deviation threshold. The formula is the population variance, square-rooted:

$$\sigma = \sqrt{\frac{1}{n}\sum_{i=1}^{n}(x_i - \mu)^2}$$

Your alert in Session 3 fired when a metric drifted more than 2σ from its 24-hour mean — a classic streaming-stats pattern. Splunk’s streamstats command computes this in real time.

A single SPL block to take home #

This is the search that powered the dashboard you built. Save it as a macro and reuse it on any host.

spl
1
2
3
4
5
search index=main earliest=-24h
| stats avg(response_ms) as avg, stdev(response_ms) as stdev by host
| eval upper = avg + (2 * stdev)
| where response_ms > upper
| sort -response_ms

The highlighted lines are the two you’d most likely tweak: the time window (earliest=-24h) on line 1, and the deviation multiplier (2 * stdev) on line 3.

SPL quick reference #

The cheat sheet below is also available as a standalone page if you want to bookmark it. It lives in content/snippets/cheatsheet.md and is pulled in here via {{< include >}} so it stays in sync everywhere.

SPL Cheat Sheet #

A short reference of the most-used SPL commands. Embedded into other pages via the include shortcode.

Command	Purpose	Example
`search`	Filter events	`search status=500`
`stats`	Aggregate	`stats count by host`
`eval`	Compute fields	`eval is_error = if(status>=500, 1, 0)`
`where`	Post-filter	`where count > 10`
`sort`	Reorder	`sort -count`
`head`	Top N	`head 20`

Combine them with the pipe (|) — left to right, output of one is the input of the next.

What’s next #

Pick one — they’re independent and run about 60–90 min each, somewhere between Easy and Advanced .

Observability Cloud · 3-hour deep dive

The full guided tour of metrics, traces, and logs in Splunk Observability Cloud. Pairs nicely with what you just learned.

OpenTelemetry Collector

Build out the collector you saw in the architecture diagram. Agents, gateways, and pipelines for real workloads.

Dashboards & Detectors

Take the dashboard you built and turn its panels into real-time detectors with PagerDuty / Slack hooks.

Pages in this workshop #

For reference, here’s what the full workshop tree looks like:

getting-started/
├── 01-introduction
├── 02-installation
├── 03-first-search
└── 04-going-further
    ├── sample-pipeline.yaml
    └── quickref.txt

Deepen your understanding #

A few collapsibles for the topics that came up during the workshop but didn’t warrant their own section. Open whichever match your next question.

Why does `streamstats` outperform `stats` for alerting?

streamstats computes its aggregates incrementally as events arrive — it doesn’t need to wait for the time bucket to close. That’s the difference between an alert that fires within seconds versus one that fires at the bucket boundary.

Internally Splunk keeps a sliding window per group; memory grows with the cardinality of the by clause, so use it with care on high-cardinality fields.

Common deployment topologies (single-instance vs. distributed)

Single-instance is what you ran in Session 2 — one process, all roles. Fine for workshops, dev, and small teams (under ~100 GB/day).

Distributed splits roles across hosts: indexers shard data, search heads run queries, a deployment server manages config. The threshold for splitting is usually data volume, not user count.

Take it home #

Downloadable assets bundled with this page — drag them straight into your project.

Claim your certificate #

Add this workshop to your LinkedIn profile in two taps — the badge is pre-filled with the workshop name, the issuing org, and today’s date.

Read the docs Ask the community Add to LinkedIn

When you’re ready to keep going, the next workshop is one click away.

Pick your next workshop

You're done!

You can close this tab — or keep it open for the cheat sheet. Either way: thank you for spending the hour with us, and we’ll see you in the next workshop.