How to Pass Splunk Enterprise Certified Admin (SPLK-1003) in 2026: Study Guide

# How to Pass Splunk Enterprise Certified Admin (SPLK-1003) in 2026: Study Guide The **Splunk Enterprise Certified Admin** (SPLK-1003) is the intermediate-to-advanced certification that validates your ability to install, configure, and manage a Splunk Enterprise deployment. Where the Core User cert proves you can *search* Splunk, the Admin cert proves you can *run* Splunk — configure data inputs, manage users and roles, scale with indexer clustering, and keep the platform healthy. This guide covers the exam format, all six domains, the key components you must know, the certification progression, and a 6-week study plan. --- ## Exam Facts at a Glance | Detail | Value | |---|---| | Exam code | SPLK-1003 | | Full name | Splunk Enterprise Certified Admin | | Number of questions | 65 | | Time limit | 60 minutes | | Passing score | 70% (45 or 46 correct) | | Exam cost | $130 USD | | Format | Multiple choice / multiple response | | Delivery | Pearson VUE (online proctored or test center) | | Prerequisite | Splunk Core Certified User (recommended, not enforced) | | Validity | 3 years | --- ## The Six Exam Domains ### Domain 1: Splunk Deployment Understand the components of a Splunk deployment and how they interact. Know the difference between a single-instance deployment (everything on one server) and a distributed deployment (search heads, indexers, and forwarders as separate tiers). Understand horizontal scaling: adding indexer peers increases search and storage capacity; adding search heads increases concurrent search capacity. ### Domain 2: License Management Splunk licensing is based on daily data ingestion volume (GB/day). Key concepts: - **License master (License Manager)**: the server that holds and enforces the license pool - **License slave (License Peer)**: any Splunk instance that reports its data ingestion to the license master - **License warning vs violation**: exceeding the daily limit once is a warning; five warnings in a rolling 30-day window triggers a violation that disables search (indexing continues) - **Stacking licenses**: multiple license files can be combined into a single stack ### Domain 3: Splunk Configuration Splunk configuration is file-based. All settings live in `.conf` files, and the precedence order determines which setting wins when the same key appears in multiple locations: 1. System local (`$SPLUNK_HOME/etc/system/local/`) 2. App local (`$SPLUNK_HOME/etc/apps//local/`) 3. App default (`$SPLUNK_HOME/etc/apps//default/`) 4. System default (`$SPLUNK_HOME/etc/system/default/`) Key conf files: `inputs.conf` (data sources), `outputs.conf` (forwarder destinations), `props.conf` (source type settings, field extractions), `transforms.conf` (lookup definitions, field extraction rules), `indexes.conf` (index definitions), `server.conf` (general server settings), `authorize.conf` (roles and capabilities). ### Domain 4: Splunk Apps Apps are packaged configurations, searches, and UI components. Admins manage apps via: - Splunk Web (Apps → Manage Apps) - `splunk install app` CLI - Deployment Server (for pushing apps to forwarders) Understand the difference between an **app** (user-facing, contains dashboards/searches) and an **add-on** (TA — Technology Add-on, contains inputs and props/transforms for a specific data source with no UI). ### Domain 5: Getting Data In This domain covers how data enters Splunk: - **Forwarders**: Universal Forwarder (UF) and Heavy Forwarder (HF) ship data to indexers - **Monitor inputs**: `inputs.conf` `[monitor://path]` stanzas watch files and directories - **Network inputs**: `inputs.conf` `[tcp://port]` and `[udp://port]` stanzas listen on sockets - **Scripted inputs**: execute scripts on a schedule and capture their stdout - **HTTP Event Collector (HEC)**: token-based HTTP/HTTPS endpoint for application logging ### Domain 6: Distributed Search Splunk distributes search across the indexer tier. The search head sends search jobs to each indexer peer, which searches its local buckets and returns results. The search head merges, sorts, and renders the final output. Key concepts: search peer configuration (`distsearch.conf`), search factor and replication factor in clustered environments, search head pooling vs search head clustering. --- ## Splunk Deployment Components ### Core Components | Component | Role | Runs full Splunk? | |---|---|---| | **Search Head** | Provides the UI, runs SPL, distributes search to indexers | Yes | | **Indexer** | Receives, parses, stores, and indexes data | Yes | | **Universal Forwarder (UF)** | Lightweight data shipper, no parsing | No (stripped-down binary) | | **Heavy Forwarder (HF)** | Full Splunk instance configured to forward data; can parse, route, and filter | Yes | | **Deployment Server** | Manages configuration and app distribution to forwarder clients | Yes | | **Cluster Manager (formerly Cluster Master)** | Orchestrates indexer cluster peers, manages bucket replication | Yes | | **License Manager (formerly License Master)** | Holds the license pool, tracks daily ingestion across all peers | Yes | ### Forwarder Comparison | Feature | Universal Forwarder | Heavy Forwarder | |---|---|---| | Binary size | Small (~20 MB) | Full Splunk (~300+ MB) | | Data parsing | No — sends raw data | Yes — full parsing pipeline | | Data routing/filtering | Basic (by destination) | Full (`transforms.conf` routing) | | Can run searches | No | Yes | | Typical use | Every endpoint sending data | Parsing syslog, filtering before indexing | | Managed by Deployment Server | Yes | Yes | ### Data Flow in a Distributed Deployment ``` Data Source → Universal Forwarder (ship raw data) → [optional Heavy Forwarder (parse/route/filter)] → Indexers (index and store) → Search Head (search, report, dashboard) ``` --- ## Splunk Certification Progression | Certification | Level | Focus | |---|---|---| | Core Certified User | Entry | Search, SPL, dashboards, knowledge objects | | Core Certified Power User | Intermediate | Advanced SPL, regex, CIM, lookups, macros, data models | | Enterprise Certified Admin | Intermediate/Advanced | Deployment, clustering, inputs, RBAC, configuration | | Splunk ITSI Certified Admin | Advanced | IT Service Intelligence monitoring and ML-based alerting | | Splunk ES Certified Admin | Advanced | Enterprise Security app administration | The recommended path is User → Power User → Admin. Some candidates skip Power User and go directly to Admin if their role is infrastructure-focused rather than search-focused. --- ## Study Resources - **Splunk Free Training — Fundamentals 2**: The official free course specifically designed for the Admin exam track. Covers deployment, configuration files, inputs, and basic clustering. Available at `education.splunk.com`. This is mandatory preparation. - **Splunk Docs**: `docs.splunk.com` — especially the *Admin Manual*, the *Distributed Deployment Manual*, and the *Indexer Clusters and Index Replication* guide. These are the authoritative reference for every exam question. - **Splunk Community / Answers**: `community.splunk.com` — search for specific configuration questions. Real-world admin scenarios appear frequently. - **Splunk Quick Reference Guide**: A free downloadable PDF from Splunk covering configuration file precedence, forwarder types, and clustering concepts — excellent last-day review material. - **CertLand Practice Exams**: 65-question practice exams with full explanations, mapped to the six SPLK-1003 domains. Use these in Weeks 5 and 6 to simulate timed exam conditions. --- ## 6-Week Study Plan ### Week 1: Deployment Architecture and Components - Study the role of each component: search head, indexer, forwarder (UF vs HF), cluster manager, deployment server, license manager - Understand single-instance vs distributed deployment - Draw the data flow diagram from source to search head - Read: Splunk Docs — *Distributed Deployment Manual* (overview section) - Goal: explain what each component does and why you would add more of each ### Week 2: Configuration Files and Precedence - Learn the six key conf files: `inputs.conf`, `outputs.conf`, `props.conf`, `transforms.conf`, `indexes.conf`, `server.conf` - Memorize the configuration precedence order (system local > app local > app default > system default) - Practice reading and writing conf file stanzas - Read: Splunk Docs — *Admin Manual*, Configuration file chapters - Goal: given a conflict between two stanzas, identify which one wins and why ### Week 3: Getting Data In - Study all four input types: monitor, network (TCP/UDP), scripted, HEC - Configure a monitor input for a log file in `inputs.conf` - Understand HEC: tokens, channels, batch vs streaming, ACK - Study forwarder outputs.conf configuration: `[tcpout]` stanza, `server=`, load balancing - Read: Splunk Docs — *Getting Data In Manual* - Goal: configure a Universal Forwarder to send data to an indexer ### Week 4: RBAC, Apps, and License Management - Study roles: default roles (admin, power, user, can_delete), role inheritance, capabilities - Study index-level access control (srchIndexesAllowed, srchIndexesDefault) - Study license concepts: daily ingestion limit, warning vs violation, license stacking - Study app management: installing, enabling, deploying via Deployment Server - Goal: create a new role with specific index access and capabilities ### Week 5: Indexer Clustering - Study cluster architecture: cluster manager, peer nodes, search factor, replication factor - Understand RF >= SF requirement and what happens when peers go offline - Study bucket types: hot, warm, cold, frozen - Study multi-site clustering basics (site awareness) - Take your first full CertLand practice exam (timed, 65 questions) - Review every wrong answer; map each mistake to a domain ### Week 6: Exam Simulation and Review - Take two more full practice exams under timed conditions - Focus review on your weakest domain - Re-read the relevant Splunk Docs section for any topic you missed - Review configuration file precedence and clustering factors one more time - Day before exam: notes review only, no new material - Exam day: flag difficult questions and return; manage your 60 minutes carefully --- ## Quick Reference: 10 Must-Know Admin Facts 1. Universal Forwarder does NOT parse data — it sends raw events to indexers 2. Heavy Forwarder runs full Splunk — it can parse, filter, and route before forwarding 3. Configuration precedence: system local beats app local beats app default beats system default 4. Replication factor (RF) = number of raw data copies; Search factor (SF) = number of searchable copies; RF must be >= SF 5. Cluster Manager does NOT index data — it only orchestrates peer nodes 6. Deployment Server manages forwarder configurations only — it does NOT manage indexer cluster peers or Search Head Cluster members 7. License violation (5 warnings in 30 days) blocks searches but NOT indexing 8. HEC uses token-based authentication — each token can be bound to a specific index 9. `outputs.conf` on a forwarder defines where data is sent; `inputs.conf` defines what data is collected 10. The `frozenTimePeriodInSecs` index setting determines when data moves to the frozen (deleted) state