TechForward SIEM Core 1

Module 1 - What is Big Data? The 4 v's of big data?

Module 2 - What is Splunk? (Use cases, product overview)

Module 3 - Splunk components: Indexer, Search Head, Forwarders, Deployment Server, Heavy Forwarder

Module 4 - Indexing pipeline (Parsing, Indexing, Searching)

Module 5 - Licensing and deployment options

Module 6 - Demo: Install Splunk Enterprise on Linux

Module 7 - Understanding the Splunk Application

Module 8 - Upgrading Splunk

Module 9 - Demo: Upgrading Splunk Enterprise on Linux

Module 10 - Introduction to Splunk Search Interface

Module 1 - Basic Search Syntax

Module 2 - Essential Search Commands

Module 3 - Working with Time and Fields

Module - Lab - Validate Data Ingestion with Search

Writing Automated Tests

Module 1 - Inputs overview: Monitor, TCP/UDP, Scripted

Module 2 - Data flow: Parsing queue to Indexing queue

Module 3 - Index-time vs Search-time operations

Module 4 - Bucket types, structure, and retention

Module 5 - Configuring inputs.conf and indexes.conf

Module 6 - Hands-on: Ingest sample logs and verify indexing

Module 1 - Universal Forwarder vs Heavy Forwarder

Module 2 - Installing and configuring forwarders

Module 3 - outputs.conf: routing to indexers or HFs

Module 4 - Configuring Deployment Server (serverclass.conf)

Module 5 - Best practices for forwarder management

Module 6 - Lab: Manage multiple forwarders with Deployment Server

Module 1 - props.conf overview: LINE_BREAKER, TIME_PREFIX, etc.

Module 2 - Timestamp extraction, event breaking

Module 3 - transforms.conf: field extractions, routing, masking

Module 4 - Index-time vs Search-time field extraction

Module 5 - Best practices for onboarding structured/unstructured logs

Module 6 - Lab: Mask and route logs using transforms

Module 7 - Syslog, syslog-ng, and rsyslog for log ingestion

Module 1 - Security & Authentication

Module 2 - Role-based access control (authorize.conf)

Module 3 - Enabling and configuring TLS/SSL

Module 4 - Secure communication: Forwarders to Indexers

Module 5 - Lab: Implement TLS and configure secure roles

Module 1 - Distributed Search

Module 2 - Search Head and Search Peer setup

Module 3 - Search bundles and knowledge object replication

Module 4 - KV Store: use cases and configuration

Module 5 - Lab: Connect multiple indexers to a search head

Module 6 - Indexer Clustering - What is indexer clustering? When to use it

Module 7 - Cluster Master, Peer Nodes, and Search Heads

Module 8 - Replication Factor (RF) and Search Factor (SF)

Module 9 - Bucket replication and failure recovery

Module 10 - Configuration files: server.conf, indexes.conf

Module 11 - Lab: Deploy a 3-node indexer cluster

Module 12 - Search Head Clustering - Overview of Search Head Clustering

Module 13 - Deployer configuration and app bundling

Module 14 - Cluster members communication and state sync

Module 15 - Troubleshooting SHC replication and conflicts

Module 16 - Lab: Set up a 3-node Search Head Cluster with Deployer

Module 1 - Components of the Search Head

Module 2 - SPL (Search Processing Language)

Module 3 - CIM (Common Information Model)

Module 4 - Building Production Splunk Apps

Module 1 - Final Capstone Project 1 - Design Core Splunk Backend Architecture (Domains 1, 2, 3, 6)

Module 2 - Implement core Splunk roles (Domains 1, 2, 3, 6)

Module 3 - Implement ingestion & routing using core configs (Domains 2 & 3)

Module 4 - Validate distributed search, clustering, and data flow (Domain 6)

Module 5 - Document and present architecture

Module 1 - Final Capstone Project 2 - Refine & extend architecture (Domains 1, 2, 3, 6)

Module 2 - Implement full parsing & normalization pipeline (Domain 4)

Module 3 - Implement security, authentication & TLS (Domain 5)

Module 4 - End-to-end validation: data, clustering, security (Domains 2, 4, 5, 6)

Module 5 - Final presentation & documentation (Domains 1–6)