Working With Time

Working with Time
Working with Time

turn data into doing™ 1 Copyright © 2023 Splunk, Inc. All rights reserved | 25 January 2023
Document Usage Guidelines
• Should be used only for enrolled students
• Not meant to be a self-paced document, an instructor is needed
• Lab Exercise slides reference the hands-on lab exercise guide
that will be provided by your instructor
• Do not distribute
25 January 2023
Working with Time
Course Goals
• Define the _time field
• Compare time modifier and time picker
• Use index-time based modifiers
• Convert UNIX time to human readable time
• Use the timewrap command with timechart
• Describe how time zones are processed
Working with Time

Course Outline
• Searching with Time
• Formatting Time
• Using Time Commands
• Working with Time Zones
Working with Time

Searching with Time
Working with Time

Topic Objectives
• _time field and timestamps
• Viewing and interacting with the Event Timeline
• Using earliest and latest time modifiers
• Using the bin command with _time
Working with Time

The _time Field
• The _time field contains the event's timestamp and is used to
create the event timeline in Splunk Web user interface
• The _time field is stored with the event in the index prior to
search time alongside other metadata fields:
– Important basic default fields: host, source, sourcetype
– Other default fields: _raw, _time, index, timestamp, splunk_server
• _time is expressed in UNIX time (epoch time) and translated to
human-readable UNIX time during the search operation process
• All events are sorted by time, thus _time is the most efficient filter
Working with Time

Timestamp
The _time (timestamp) field and other metadata fields (host,
source, sourcetype, and index) are assigned to every event
The timestamp is
directly derived from
the _time field
Working with Time

Viewing the Timeline
The timeline shows distribution of events in the time range
Working with Time

Timeline Mouse Actions
Hover to view the event count for a specific time and date
Working with Time

Timeline Mouse Actions (cont.)
Click on a timeline column to filter results for that time period
Working with Time

Timeline Mouse Actions (cont.)
Select a narrow time range by click/dragging across multiple columns
Working with Time

Specifying a Time Range
• Always specify a time range before running a search by:
– Using the Time Range Picker
– Including time modifiers in the basic search
Time modifiers in the basic search
Time Range Picker
Working with Time

Using the Time Range Picker
A
preset time ranges
custom time ranges D

A
B
C E
D
E
Working with Time

earliest and latest Time Modifiers
... earliest=[+|-]<timeInt><timeUnit>@<timeUnit>
... latest=[+|-]<timeInt><timeUnit>@<timeUnit>
• Include in basic search to override the Time Range Picker

• <timeInt><timeUnit> is the time amount expressed as an
integer and a unit, e.g. 3h
• @timeUnit ”snaps” to the specified time unit
Note
– Always rounds down, i.e. go backwards through time earliest and latest are rarely
used by themselves. If only
– Canbe used to snap to a certain day of the week: earliest is specified, latest
defaults to now(). If only latest
@w0 for Sunday, @w1 for Monday, etc. is specified, all events up to
latest are retrieved.
Working with Time

Using @<timeUnit>
@ symbol "snaps" to the time unit you specify and will always round
down to the nearest specified unit
Note ?
These searches assume the current time
is exactly 9:45am on April 1st, 2021.
Relative Time Modifiers Search
-30m@h Looks back to 09:00:00 on April 1st 2021
earliest=-h@h Rounds down to 08:00:00 on April 1st 2021
earliest=-mon@mon latest=@mon Looks for events from 00:00:00 on March 1st 2021 to 00:00:00 on
April 1st 2021
earliest=-7d@d Looks for events from 00:00:00 on March 25th (7 days before April
1st) to 09:45:00 on April 1st 2021
earliest=@d+3h Looks for events from 03:00:00 to 09:45:00 on April 1st 2021
Working with Time

<timeUnit> Values List
Relative Time <timeUnit>
Modifiers
Current date & time now
Second s, sec, secs, second, seconds
Minute m, min, minute, minutes
Hour h, hr, hrs, hour, hours
Day d, day, days

Week w, week, weeks
Days of the week w1 (Monday)…w6 (Saturday), w7 or w0
(Sunday)
Month mon, month, months
Quarter q, qtr, qtrs, quarter, quarters
Year y, yr, yrs, year, years
Working with Time
Default Time Fields
• Events with timestamp information have
date_* fields
• These fields are generated for events that
include date/timestamp in the raw data
• Provides extra information for searching
• These fields do not change based on a
user's time zone
Working with Time

Time Modifiers and Time Fields Example
Scenario ? index=sales sourcetype=vendor_sales B
A new campaign aimed at early A earliest=-2d@d latest=@d date_hour>=2 AND date_hour<5
morning sales is ongoing. Display | bin span=1h _time
early morning retail sales for 2-5
am for the previous two days.
| stats sum(price) as "Hourly Sales" by _time
C | eval Hour = strftime(_time, "%b %d, %I %p")
| table Hour, "Hourly Sales"
• The search looks for events

A
from the last 2 days, excluding today

• Splunk retrieves events from 2am to
B
5am with no timezone adjustment

• strftime function and time zones are
C
discussed in the following topics
Working with Time

bin Command
...| bin <field> [span=<int>[<timescale>]] [bins=<int>] [as <newfield>]
• Puts numerical values into discrete sets, or bins

• Adjusts values so all events in a bin share the same <field> value
• Set the size for each bin with the span option
• Specify a maximum number of bins with the bins option
...| bin <field> span=1000
1000 - 2000 2000 - 3000 3000 - 4000 5000 - 6000
Working with Time

bin Command Example 1
Scenario index=web sourcetype=access_combined
An analyst in BizOps wants a list | stats sum(price) as totalSales by product_name
of products grouped by revenue | bin totalSales span=100
range over the last 24 hours. | stats list(product_name) as product_name by totalSales
| sort totalSales
| eval totalSales = "$".totalSales
Working with Time

bin Command Example 1 (cont.)
The bins option grants more flexibility because it adapts the results
to different time ranges
index=web sourcetype=access_combined
| stats sum(price) as totalSales by product_name
| bin totalSales bins=10
| stats list(product_name) as product_name by totalSales
| sort totalSales
| eval totalSales = "$".totalSales
Working with Time

bin Command with the _time Field
• When used with _time, the bin command can sort result values into
bins based on time
• Time values are adjusted so that all items in a bin share the
same time value
...| bin _time span=1hrs
09:00:00-09:59:59 10:00:00-10:59:59 11:00:00-11:59:59 12:00:00-12:59:59
Working with Time

bin Command: <timescale> Values
Time Scale Syntax
<sec> s | sec | secs | second | seconds

<min> m | min | mins | minute | minutes
<hr> h | hr | hrs | hour | hours
<day> d | day | days
<month> mon | month | months
<subseconds> us | ms | cd | ds
Working with Time

bin Command Example 2
Scenario ? 1 index=games sourcetype=SimCubeBeta Action=* earliest=-10m@m
List the number of times an action 2 | bin span=2m _time
was seen on the Sim Cubicle Beta | stats count, list(Action) as Action by _time
server over the last 10 minutes.
Group actions into 2-minute chunks.
Working with Time

Preview: The Next Topics
Formatting Time Using Time Commands Working with Time Zones

Time functions:
now Time zones and your data
time timechart
relative_time timewrap Using strftime to convert
strftime timestamps to local timezone
strptime
Working with Time

Searching With Time Lab Exercise
Time: 20 minutes
Tasks:
• Test your knowledge of the earliest and latest time modifiers
• Use the bin command to group badge reader events
Working with Time

Formatting Time
Working with Time

Topic Objectives
• Using eval date and time functions to format time:
– now
– time
– relative_time
– strftime
– strptime
Working with Time

eval Command
...| eval <field1>=<expression1>[, <field2>=<expression2>]
• Calculates an expression and puts the resulting value into a new

or existing field which can be reused in the search pipeline
• Extremely powerful and useful command that supports a vast
assortment of functions
• Supports a vast assortment of functions
• Can exist as an expression
Working with Time

eval Date and Time Functions
now(): returns the time a search was started
...| eval field1 = now()
time(): returns the time an event was processed by eval command
...| eval field1 = time()
Working with Time

Date and Time Functions: relative_time
...| eval field1 = relative_time(X,Y)
• Returns an epoch timestamp relative to a supplied time

• X is a number, representing desired time in epoch seconds
• Y is a relative time specifier
• Relative time specifiers use time unit abbreviations such as:
s = seconds m = minutes h = hours d = days w = week mon = months y = year
...| eval yesterday = relative_time(now(),"-1d@h")
Working with Time

Date and Time Functions: Format Variables
Format variables are used by the strftime and strptime functions
discussed in the following slides
Time Days Months & Years
%H 24 hour 00 - 23 %d Day of month 01 to 31 Abbreviated
%b month name Jan
%T 24 hour HMS %w Weekday 0 to 6 %B Month name January
Abbreviated
%I 12 hour 01 - 12 %a weekday Sun %m Month number 01 - 12
%M minute 00 - 59 %A Weekday Sunday %Y Year 2020
%p AM or PM %F year-month-day %Y-%m-%d
...| eval yesterday = relative_time(now(),"-1d@h")

| eval yesterdayString = strftime(yesterday,"%F %H:%M")
Previous example converted to a string format
Working with Time

Date and Time Functions: strftime
...| eval field1 = strftime(X,Y)
Renders a UNIX timestamp (X) as a string based on the format

specified by Y
index=sales sourcetype=vendor_sales
index=sales sourcetype=vendor_sales | timechart span=1h sum(price) as h_sales
| timechart span=1h sum(price) as h_sales | eval _time = strftime(_time,"%b %d, %I %p")
Before formatting After formatting
Working with Time

Date and Time Functions: strptime
...| eval field1 = strptime(X,Y)
Converts a time represented by a string (X) to a UNIX timestamp

based on formatting determined by Y
index=systems sourcetype=system_info asctime=*
| eval NewAsctime = strptime(asctime, "%Y-%m-%d %H:%M:%S,%N")
| table asctime, NewAsctime
Working with Time

Using Time Commands
Working with Time

Topic Objectives
• Use the timechart command
• Use the timewrap command
Working with Time

timechart Command
...| timechart <stats-func>(<field>) by <field>
[span=<int><timescale>] [limit=<int>]
• Performs statistical aggregations against time

• Can utilize various statistical aggregate functions
– Commonly used with count and sum functions
– Not all functions are discussed in this module
• Plots and trends data over time where _time is always the x-axis
• Results can be split by another <field> using a by clause
• The span and limit options control additional aspects of timechart
output and are discussed in succeeding slides
Working with Time

timechart Command Example
Scenario
How many usage
violations have occurred
during the last 7 days?
index=network sourcetype=cisco_wsa_squid usage=Violation
| timechart count
Note
The count function
returns a count of
all events or for a
specific field.
Working with Time

timechart Command: With by Clause
Scenario
What is the overall index=network sourcetype=cisco_wsa_squid earliest=-24h
usage trend for | timechart count by usage
the last 24 hours?
Each column represents

a line in the line chart
Note
Using timechart, you
can only split by one
field because _time is
the implied first by field.
Working with Time

timechart Command: span Option
• The timechart command "buckets" the values of the _time field
based on time range if no span argument is specified
• Examples:
A– Last 60 minutes uses span=1m
B– Last 24 hours uses span=30m
index=security sourcetype=linux_secure vendor_action=*

| timechart count by vendor_action
Working with Time

timechart Command: span Option (cont.)
Manually adjust the interval using the span option
index=security sourcetype=linux_secure vendor_action=*

| timechart span=15m count by vendor_action
Working with Time

timechart Command: limit Option
The limit option controls the number of distinct values returned by
the by clause field
Scenario
index=web sourcetype=access_combined
What was the total web
| timechart span=1h sum(price) by product_name limit=5
sales for our top products
during the last 24 hours?
Working with Time

timewrap Command
...| timewrap [<int>]<timescale>
• Displays the output of the timechart command, so that each time

period is a separate series
• Can compare data over a specific time period, such as day-over-
day or month-over-month
Each line is a
separate series
Working with Time

timewrap Command Example
Scenario ? index=security "failed password" earliest=-14d@d latest=@d
Compare the number of A | timechart span=1d count as Failures
password failures over the last
B | timewrap 1w
week to password failures
over the previous week.
| rename _time as Day
| eval Day = strftime(Day, "%A")
Data series are automatically

renamed based on timescale
A timechart creates
one data series
spanning 14 days
timewrap splits data into two

series, each spanning a week
and sharing the same weekdays
B
Working with Time

timewrap Command Example (cont.)
Expanding the time range adds more data series
index=security "failed password" earliest=-19d@d latest=@d
| timechart span=1d count as Failures
| timewrap 1w
| rename _time as Day
| eval Day = strftime(Day, "%A")
Note
The Failures_2weeks_before
series is truncated because the
timespan of the search is not
evenly divisible by the duration
specified by timewrap.
Working with Time

Formatting Time & Using Time Commands Lab Exercise
Time: 30 minutes
Tasks:
• Use the timechart command and time formatting functions to
fulfill three different scenario requests
– Find and visualize non-business network activity from the previous
business week
– Compare network server errors from last week to the daily average
over the last month
– Generate a detailed sales report from last week's online sales data
Working with Time

Working with
Time Zones
Working with Time

Topic Objectives
• Understand how time and timezones are represented in your data
• Determine the time zone of your server
• Use strftime to correct timezones in results
Working with Time

Checking Your Data
Scenario ? earliest=-2d@d latest=@d date_hour>=2 AND date_hour<5
A new campaign aimed at early | bin span=1h _time
morning sales is ongoing. Display | stats sum(price) as "Hourly Sales" by _time
am for the previous two days. | eval Hour=strftime(_time, "%b %d, %I %p")
What you see What you expected to see
Working with Time

Don't Forget Time Zones!
Scenario ? earliest=-2d@d latest=@d date_hour>=2 AND date_hour<5
A new campaign aimed at early | bin span=1h _time
morning sales is ongoing. Display | stats sum(price) as "Hourly Sales" by _time
am for the previous two days. | eval Hour=strftime(_time, "%b %d, %I %p")
• Remember, date_* fields do not reflect your local time, but are
the values of time/date directly from the raw events
• To determine your time zone:
1. In Preferences, set Time Zone to Default System Timezone
2. Run a search over the last 15 minutes
3. Read the event timestamps and compare with your local time
Working with Time

Using strftime with Time Zones: %H
• Many organizations that span multiple time zones normalize their
data to UTC (Universal Time Coordinated)
• Use the %H argument with the strftime function to display data
with user's time zone preference
earliest=-d@d latest=@d
| eval my_hour = strftime(_time,"%H")
| table my_hour, date_hour
Working with Time

Using strftime with Time Zones Example
Scenario ? index=sales sourcetype=vendor_sales earliest=-2d@d latest=@d
A new campaign aimed at early | eval my_hour = strftime(_time,"%H")
morning sales is ongoing. Display
| search my_hour>=2 AND my_hour<5
am for the previous two days. | bin span=1h _time
| stats sum(price) as "Hourly Sales" by _time
| eval Hour=strftime(_time, "%b %d, %I %p")
This is the same search shown earlier, modified to work in any

time zone using %H
Working with Time

Wrap-up Slides
Working with Time

Wrap-up
• You should now be able to:
– Use time modifiers, date_* fields, and time range picker to control
search behavior
– Group events using time with the bin command
– Format time with the eval command
– Use the timewrap command with timechart
– Use strftime to correct timezones in results
Working with Time

• Splunk Community Portal –
Community community.splunk.com
• Answers
• Discussions
• Splunk Trust
• User Groups
• Ideas
• Splunk Blogs – splunk.com/blog/
• Splunk Base – splunkbase.com
• Apps
• Curated Collections
• Splunk Docs on Twitter – twitter.com/splunkdocs
• Splunk Dev on Twitter – twitter.com/splunkdev
• Splunk on Slack – splk.it/slack
Working with Time
turn data into doing™ • .conf –56conf.splunk.com Copyright © 2023 Splunk, Inc. All rights reserved | 25 January 2023
• Knowledge Base – Search knowledge base,
Community answers, and docs to troubleshoot your issue
• splunk>dev – Documentation for developers
• Splunk Docs – Product, best practices, and tools
documentation for all Splunk products
• Splunk Lantern – Actionable guidance by experts
• Create a case – Support for critical issues
• Contact Us – Find region-specific support
• (855) SPLUNK.S or (855) 775.8657
• Not in the US? Find your local office
• System Status – Cloud Services, Observability
Cloud, Splunk On-Call, Synthetic Monitoring
• Splunk Product Security – Critical Security Alerts,
Quarterly Security Patches, and 3rd Party Bulletins
Working with Time
© 2022 SPLUNK INC.
Splunk How-To Channel

Free, short videos on a variety of Splunk topics: splk.it/How-To
Working with Time

Learning Paths
Search Expert – Recommended Courses
Free eLearning courses are highlighted in blue and courses with an *
are present in both learning paths.
• What is Splunk * • Result Modification
• Introduction to Splunk * • Leveraging Lookups and Subsearches
• Using Fields * • Correlation Analysis
• Scheduling Reports and Alerts • Search Under the Hood
• Visualizations • Multivalue Fields
• Statistical Processing • Search Optimization *
• Working with Time
• Comparing Values
Working with Time

Learning Paths
Knowledge Manager – Recommended Courses
Free eLearning courses are highlighted in blue and courses with an *
are present in both learning paths.
• What is Splunk * • Enriching Data with Lookups
• Introduction to Splunk * • Data Models
• Using Fields * • Introduction to Dashboards
• Introduction to Knowledge Objects • Dynamic Dashboards
• Creating Knowledge Objects • Using Choropleth
• Creating Field Extractions • Search Optimization *
Working with Time

© 2022 SPLUNK INC.
Splunk Mobile
• Free app available to all Splunk Cloud
and Splunk Enterprise customers
• Analyze data and receive
actionable alerts on-the-go
with mobile-friendly dashboards
• iOS and Android
• See the Product Brief
• Download for iOS splk.it/ios
Working with Time

Splunk Certification
Offerings & Requirements
Working with Time

Splunk Core and Beyond
Regardless of which Splunk product you use, it all starts with Splunk Core
Splunk Cloud
Splunk Core
Recommended
Splunk Enterprise
Working with Time

App-Specific Offerings
For Splunk Add-Ons
App ES ITSI SOAR

Developer Administration Administration Automation
Developer
Working with Time

Splunk Core Certified User
This entry-level certification demonstrates an individual's basic ability to navigate
and use Splunk software
Prerequisite Certification(s): Splunk Core Certified User Exam Congratulations! You are a...
• None Time to study! We suggest candidates looking to prepare for
this exam complete Fundamentals 1 or the following courses:
Prerequisite Course(s): • What is Splunk?
• None • Intro to Splunk
• Using Fields
• Scheduling Reports and Alerts
• Visualizations
• Statistical Processing
• Working with Time Recommended Next Step
• Leveraging Lookups and Subsearches
• Splunk Core Certified Power User
• Search Optimization
• Enriching Data with Lookups
• Data Models
See here for registration assistance.
Working with Time

Splunk Core Certified Power User
This entry-level certification demonstrates an individual's foundational
competence of Splunk’s core software
Prerequisite Certification(s): Splunk Core Certified Power User Exam Congratulations! You are a...
• None Time to study! We suggest candidates looking to prepare for
this exam complete Fundamentals 2 or the following courses:
Prerequisite Course(s): • Visualizations
• None • Statistical Processing
• Result Modification
• Correlation Analysis
• Search Under the Hood Recommended Next Steps
• Introduction to Knowledge Objects
• Splunk Core Certified Advanced Power User
• Creating Knowledge Objects
• Creating Field Extractions • Splunk Enterprise Certified Admin
• Data Models
• Using Choropleth • Splunk Cloud Certified Admin
Working with Time

Splunk Core Certified Advanced Power User
This certification demonstrates an individual's ability to generate complex searches,
reports, and dashboards with Splunk’s core software to get the most out of their data
Prerequisite Certification(s): Splunk Core Certified Advanced Power User Exam Congratulations! You are a...
• Splunk Core Certified Power User Time to study! We suggest candidates looking to prepare for this exam
complete Fundamentals 3, Creating Dashboards, and Advanced
Searching & Reporting or the following courses:
Prerequisite Course(s):
• Using Fields
• None
• Result Modification
• Correlation Analysis
• Search Under the Hood Recommended Next Steps
• Multivalue Fields
• Splunk Enterprise Certified Admin
• Search Optimization
• Creating Field Extractions • Splunk Cloud Certified Admin
• Enriching Data with Lookups
• Data Models
• Using Choropleth
• Introduction to Dashboards
• Dynamic Dashboards
Working with Time
Splunk Cloud Certified Admin
This certification demonstrates an individual's ability to support the
day-to-day administration and health of a Splunk Cloud environment
Prerequisite Certification(s): Splunk Cloud Certified Admin Exam Congratulations! You are a...
• Splunk Core Certified Power User Time to study! We suggest candidates looking to
prepare for this exam complete either the Splunk
Prerequisite Course(s): Cloud Administration or the Transitioning to
Splunk Cloud course.
• None
Both courses will equally prepare candidates for
the exam, but are tailored to meet the needs of
the individual based on prior Splunk experience.
Splunk Cloud Administration is designed for

net-new administrators working in a Splunk Cloud Recommended Next Steps
environment. Transitioning to Splunk Cloud is
• Splunk Certified Developer
for experienced Enterprise administrators looking
to maximize their success in migrating to a Cloud
environment.
Working with Time

Splunk Enterprise Certified Admin
This certification demonstrates an individual's ability to support the
day-to-day administration and health of a Splunk Enterprise environment
Prerequisite Certification(s): Splunk Enterprise Certified Admin Exam Congratulations! You are a...
• Splunk Core Certified Power User Time to study! We suggest candidates looking to
prepare for this exam complete the following courses:
Prerequisite Course(s):
• Splunk System Administration
• None • Splunk Data Administration
Recommended Next Steps

• Splunk Enterprise Certified Architect
• Splunk Certified Developer
Working with Time

Splunk Certified Architect
This certification demonstrates an individual's ability to deploy, manage, and
troubleshoot complex Splunk Enterprise environments
Prerequisite Certification(s): Splunk Enterprise Certified Architect Exam Congratulations! You are a...
• Splunk Core Certified Power User Time to study! We require candidates looking to register for
• Splunk Enterprise Certified Admin this exam to complete the following prerequisite courses:
• Architecting Splunk Enterprise Deployments
Prerequisite Course(s): • Troubleshooting Splunk Enterprise
• Splunk Cluster Administration
• Architecting Splunk Enterprise Deployments • Splunk Deployment Practical Lab
• Troubleshooting Splunk Enterprise
Candidates who are Splunk Enterprise Certified Admin
• Splunk Cluster Administration and have completed all of the above courses will automatically
• Splunk Deployment Practical Lab receive an exam authorization for the Splunk Enterprise Recommended Next Steps
Certified Architect exam within 5-7 business days of receiving
their passing lab results. • Splunk Core Certified Consultant
Working with Time

Splunk Core Certified Consultant
This certification demonstrates an individual's ability to properly size, install, and implement Splunk
environments and to advise others on how to utilize the product and maximize its value for their needs
Prerequisite Certification(s): Splunk Core Certified Consultant Exam Congratulations! You are a...
• Splunk Core Certified Power User Time to study! We require candidates looking to register
• Splunk Enterprise Certified Admin for this exam to complete the following prerequisite
courses:
• Splunk Enterprise Certified Architect
• Fundamentals 3, Creating Dashboards, Advanced
Searching & Reporting*
Prerequisite Course(s): • Core Consultant Labs
• Advanced Power User courses or digital badge* • Services Core Implementation
• Core Consultant Labs Candidates who are Splunk Enterprise Certified
• Indexer Cluster Implementation Architects and have completed all of the above courses
must contact [email protected] to request their
• Distributed Search Migration Core Consultant exam authorization. Recommended Next Steps
• Implementation Fundamentals • None
• Architect Implementation 1-3 *These Advanced Power User courses can be replaced with a Splunk
Certified Advanced Power User badge or completion of the following
• Services Core Implementation courses: • Correlation Analysis
• Using Fields • Result Modification
• Creating Field Extractions • Multivalue Fields
• Enriching Data with Lookups • Search Under the Hood
• Data Models • Introduction to Dashboards
• Search Optimization • Dynamic Dashboards
• Working with Time • Using Choropleth
• Comparing Values Working with Time
Splunk Certified Developer
This certification demonstrates an individual's expertise in drilldowns, advanced behaviors
and visualizations, planning, creating, and packaging apps, and REST endpoints
Prerequisite Certification(s): Splunk Certified Developer Exam Congratulations! You are a...
• Splunk Core Certified Power User Time to study! We suggest candidates looking
AND to prepare for this exam complete the
following courses:
• Splunk Enterprise Certified Admin
• Creating Dashboards with Splunk*
OR • Advanced Dashboards & Visualizations
• Splunk Cloud Certified Admin • Building Splunk Apps
• Developing with Splunk’s REST API
Prerequisite Course(s): This course may also be substituted with the Recommended Next Steps
• None following newly-launched courses:
• None
• Introduction to Dashboards
• Dynamic Dashboards
• Using Choropleth
Working with Time

Splunk Enterprise Security Certified Admin
This certification demonstrates an individual's ability to install, configure, and
manage a Splunk Enterprise Security deployment
Prerequisite Certification(s): Splunk Enterprise Security Congratulations! You are a...

• None Certified Admin Exam
Time to study! We suggest candidates
Prerequisite Course(s): looking to prepare for this exam complete
• None the following course:
• Administering Splunk Enterprise
Security
Please note: all candidates are expected

to have working knowledge and Recommended Next Steps
experience as either Splunk Cloud or
• Splunk Phantom Certified Admin
Splunk Enterprise Administrators.
Working with Time

Splunk IT Service Intelligence Certified Admin
This certification demonstrates an individual's ability to deploy, manage,
and utilize Splunk ITSI to monitor mission-critical services
Prerequisite Certification(s): Splunk IT Service Intelligence Certified Congratulations! You are a...
• None Admin Exam
Time to study! We suggest candidates looking to
Prerequisite Course(s): prepare for this exam complete the following
• None course:
• Implementing Splunk IT Service Intelligence
Please note: all candidates are expected to have

working knowledge and experience as either
Splunk Cloud or Splunk Enterprise Recommended Next Steps
Administrators.
• Courses on Observability
Working with Time

Splunk SOAR Certified Automation Developer
This certification demonstrates an individual's ability to install and configure
a SOAR server, integrate it with Splunk, and plan, design, create, and debug
playbooks
Prerequisite Certification(s): Splunk SOAR Certified Automation Congratulations! You are a...
• None Developer Exam
Time to study! We suggest candidates looking to
Prerequisite Course(s): prepare for this exam complete the following courses:
• None • Administering SOAR (Phantom)
• Developing SOAR (Phantom) Playbooks
• Advanced SOAR (Phantom) Implementation
Please note: all candidates are expected to have

working knowledge and experience as either Splunk Recommended Next Steps
Cloud or Splunk Enterprise Administrators. • None
Working with Time

© 2022 SPLUNK INC.
Thank You

Working With Time

Uploaded by

Copyright:

Available Formats

Working With Time

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Working With Time

Uploaded by

Copyright:

Available Formats

Working with Time