Here is a redesigned SPLK-1004 study plan that focuses more on "learning content as the core," incorporating:

• Goal-oriented structure (clear objectives for each phase)

• Pomodoro technique (25+5 minute sessions for efficient and focused learning)

• Spaced repetition based on the forgetting curve (scientifically scheduled reviews)

• Daily actionable tasks (what to learn + what to do + what to review)

Week 1: Master the basics of Splunk search and field processing. Keywords: stats, eval, lookup, alerts.
Week 2: Become proficient in performance optimization and search acceleration techniques. Keywords: acceleration, tstats, DMA.
Week 3: Master advanced search logic and data processing skills. Keywords: mv fields, transaction.
Week 4: Excel in visualization and interactive dashboard development. Keywords: dashboard, drilldown, form.

WEEK 1: Mastering Core Search Concepts and Field Handling

Weekly Objective:
By the end of this week, you should be able to confidently write foundational SPL queries using statistical commands, create and manipulate fields with eval, perform data enrichment with lookups, configure alerts with actions, and handle field extractions. You will also build strong habits in using search filters and visualizing basic data summaries.

Time Commitment:
~2.5 hours per day (5 Pomodoros/day, 25 minutes per Pomodoro + short breaks)

Day 1 – Exploring Statistical Commands

Topics to Study:

• stats, eventstats, streamstats, timechart, chart

• Aggregation functions: count, sum, avg, min, max, dc, values, list

• Grouping with by clauses

Tasks:

1. Read about each statistical command and compare how they handle data (event-level vs summary).

2. Write a stats query showing error count by host.

3. Use eventstats to calculate the average response time per user and add it to each event.

4. Use streamstats to track cumulative bytes over time.

5. Use timechart to show daily average CPU usage per host.

6. Reflect: how are these commands different in behavior and performance?

Pomodoros: 5 (3 study + 2 hands-on practice)

Day 2 – Exploring the eval Command and Functions

Topics to Study:

• Arithmetic, conditional, string, date/time, multivalue, and cryptographic functions

• if(), case(), replace(), split(), strftime(), strptime(), mvindex(), etc.

Tasks:

1. Practice using eval to create new fields: full name from first + last, status label from response time.

2. Write at least 10 eval expressions: 2 each from different function types.

3. Try using case() to assign labels to users based on access level.

4. Convert a readable date string into epoch time and back using strptime() and strftime().

5. Reflect: which functions were easiest to use? Which ones need more practice?

Pomodoros: 5 (3 study + 2 practice)

Day 3 – Exploring Lookups

Topics to Study:

• Static CSV lookup, KV store lookup, external lookups

• Commands: lookup, inputlookup, outputlookup

• Automatic lookups and configuration (conceptual only)

Tasks:

1. Create a CSV file with user_id, name, and department; upload it to Splunk.

2. Use lookup to enrich web log events with user names based on user_id.

3. Use inputlookup to view all rows of the file.

4. Write a search that finds new users and writes them into a new CSV with outputlookup.

5. Reflect: what’s the difference between lookup and inputlookup in behavior?

Pomodoros: 5 (2 study + 3 hands-on practice)

Day 4 – Exploring Alerts

Topics to Study:

• Types of alerts: scheduled vs real-time

• Trigger conditions and search results

• Alert actions: email, webhook, script, lookup update

• Throttling and alert suppression

Tasks:

1. Create a scheduled alert that detects when login failures exceed 100 in 10 minutes.

2. Configure the alert to send an email with tokens in the subject.

3. Create a real-time alert that logs to an index when a specific service goes down.

4. Add throttling to prevent duplicate alerts from the same user every 30 minutes.

5. Reflect: which alert type is better for fast detection? Which is better for reporting?

Pomodoros: 4 (2 study + 2 configuration practice)

Day 5 – Advanced Field Creation and Management

Topics to Study:

• Field extraction using rex and erex

• Field aliasing and calculated fields

• Index-time vs search-time field extraction (conceptual)

Tasks:

1. Use rex to extract the username from log entries that look like user=jsmith.

2. Use erex to let Splunk suggest a regex based on examples.

3. Create a calculated field that converts response time to milliseconds.

4. Define a field alias from src_ip to source_ip.

5. Reflect: how does rex differ from calculated fields in scope and usage?

Pomodoros: 5 (3 study + 2 practice)

Day 6 – Weekly Review and Reinforcement

Topics to Review:

• Concepts and SPL from Days 1 to 5

Tasks:

1. Create flashcards summarizing key commands, syntax, and use cases.

2. Take a 15-question practice quiz based on the week’s topics.

3. Rebuild 3 SPL queries you wrote earlier, but optimize them (e.g., better filters, use eventstats).

4. Reflect on which topic was the most difficult and why.

5. Prepare a 3-minute explanation of “how eval works” as if teaching a peer.

Pomodoros: 6 (2 recap + 2 quiz + 2 hands-on rebuild)

Day 7 – Rest or Exploration (Optional Advanced Practice)

Optional Task:
Build a small dashboard using:

• One table panel showing events with enriched user names (using lookup)

• One panel showing login errors over time (using timechart)

• One alert linked to dashboard panel data

Alternatively, take a day off and briefly review notes or flashcards at night to reinforce memory.

Pomodoros: 3 (if exploring)

WEEK 2: Search Acceleration and Performance Optimization

Weekly Objective:
By the end of Week 2, you will be able to apply data model acceleration, create and use summary indexes, understand the tstats command and how it improves performance, tune slow searches, and leverage macros and structured data for cleaner and faster queries.

Time Commitment:
~2.5 hours per day (5 Pomodoros/day, 25-minute blocks with breaks)

Day 8 – Working with Self-Describing Data and Files

Topics to Study:

• Formats: JSON, XML, Key-Value pairs

• Commands: spath, xmlkv, multikv, and kv_mode

• Parsing nested or structured logs

Tasks:

1. Use spath to extract fields from a JSON payload like payload.customer.name.

2. Parse XML logs using xmlkv and verify field auto-extraction.

3. Enable KV_MODE=json and observe automatic parsing behavior.

4. Use multikv to parse command-line output with headers and rows.

5. Reflect: in which log formats would spath or kv_mode be more useful?

Pomodoros: 4 (2 study + 2 practice with sample logs)

Day 9 – Advanced Search Macros

Topics to Study:

• Static vs parameterized macros

• Macro syntax and structure

• Best practices: naming, nesting, documentation

Tasks:

1. Create a static macro called high_error_rate that filters status=500.

2. Create a parameterized macro filter_by_status(method, status) and test it.

3. Use the macro inside a saved search and reuse it in 2 panels.

4. Document the macro's logic inside the UI.

5. Reflect: how does macro use improve search modularity?

Pomodoros: 5 (2 learning + 3 implementation)

Day 10 – Report Acceleration and Summary Indexing

Topics to Study:

• Scheduled report acceleration

• Summary indexing using collect

• Comparing acceleration methods

Tasks:

1. Create a scheduled report that runs hourly and enable report acceleration.

2. Check the summary range and monitor summary metadata.

3. Write a search that summarizes traffic per host using stats, then use collect to save to the summary index.

4. Write a second search that queries this summary index to generate a report.

5. Reflect: when should you use report acceleration vs summary indexing?

Pomodoros: 5 (2 study + 3 applied practice)

Day 11 – Data Models, tstats, and tsidx Files

Topics to Study:

• Data model acceleration (DMA)

• tsidx file structure and tsidx reduction

• tstats vs stats

• Summary range and performance impact

Tasks:

1. Accelerate a data model (e.g., Web.Web) for 7 days.

2. Use tstats to retrieve count and sum(bytes) grouped by status and _time.

3. Compare a tstats vs stats search for the same purpose and time range.

4. Observe query speed and system load difference.

5. Reflect: what must be true for tstats to be available?

Pomodoros: 5 (3 study + 2 timed comparisons)

Day 12 – Efficient Search Techniques and Using the Job Inspector

Topics to Study:

• Search order: filtering first, transformations second

• Indexed field usage and time constraints

• Job Inspector for performance breakdown

Tasks:

1. Review the order of search, where, eval, stats, and table.

2. Refactor 2 old searches to improve filtering (add index, sourcetype, earliest).

3. Use Job Inspector to inspect both original and refactored searches.

4. Identify phases taking the most time (parsing, dispatch, execution).

5. Reflect: how much faster is your optimized version?

Pomodoros: 5 (2 reading + 3 experimental comparison)

Day 13 – Weekly Review and Optimization Challenge

Topics to Review:

• Days 8 to 12 (data parsing, macros, acceleration, performance)

Tasks:

1. Take a 15-question quiz on Week 2 topics (search tuning, tstats, acceleration).

2. Build a 3-panel dashboard powered by:

   • A base search using a macro

   • One panel querying a summary index

   • One panel using tstats on a data model

3. Optimize a saved search using Job Inspector + indexed fields

4. Reflect on what worked best: macros, acceleration, or summary indexing?

Pomodoros: 6 (1 quiz + 3 build + 2 review and improvement)

Day 14 – Optional Rest or Deep Practice

Optional Task:
Select any slow search you’ve written. Try to:

• Add indexed field constraints

• Use fields early to reduce processing

• Replace stats with tstats or summary indexing

• Share a before-and-after comparison and document the speed difference

Alternatively, take a well-deserved rest day and revisit key flashcards in the evening for light recall.

Pomodoros: 3 (if practicing)

WEEK 3: Mastering Advanced Search Logic and Complex Data Structures

Weekly Objective:
By the end of this week, you should be confident working with multivalue fields, transactions, time functions, and subsearches. You’ll also deepen your understanding of data filtering and build the logic needed for complex correlations and reporting.

Time Commitment:
~2.5 hours per day (5 Pomodoros/day)

Day 15 – Manipulating and Filtering Data

Topics to Study:

• Filtering using search, where, and regex

• Field management using fields +, fields -, rename, eval, replace

Tasks:

1. Write a search that filters by status=200 and uses where to check for bytes > 1000.

2. Add regex to match URI paths starting with /api/.

3. Use eval and replace() to clean up a field (e.g., format usernames or remove dashes from phone numbers).

4. Rename uri_path to URL and exclude _raw and _time using fields -.

5. Reflect: what’s the best order of operations to improve performance while preserving accuracy?

Pomodoros: 5 (2 focused learning + 3 real dataset transformation)

Day 16 – Working with Multivalue Fields

Topics to Study:

• makemv, mvexpand, mvcount, mvindex, mvfilter

• Real-world applications: emails, tags, IP lists, roles

Tasks:

1. Use makemv to split a field like [email protected];[email protected];[email protected] into a multivalue field.

2. Use mvexpand to create one event per email address.

3. Extract the second value using mvindex(field, 1) and create a new field called second_email.

4. Filter events where users had more than one assigned role using mvcount(user_roles) > 1.

5. Use mvfilter to keep only values from a multivalue field that match a domain (@gmail.com).

6. Reflect: when would you prefer mvexpand versus filtering inside mvfilter?

Pomodoros: 5 (2 concept learning + 3 real-world field testing)

Day 17 – Using Advanced Transactions

Topics to Study:

• transaction command

• Fields: startswith, endswith, maxspan, maxpause, keepevicted

• Comparing transaction vs stats

Tasks:

1. Create a transaction to group events by session_id from login to logout.

2. Apply maxspan=30m and maxpause=5m to control grouping limits.

3. Add keepevicted=true to include incomplete sessions in your results.

4. Create a similar grouping using stats (with earliest(_time) and latest(_time)) and compare results.

5. Reflect: which approach is more performant and more reliable in your dataset?

Pomodoros: 5 (2 training + 3 comparative testing)

Day 18 – Working with Time

Topics to Study:

• _time field and epoch format

• Functions: now(), strftime(), strptime(), relative_time()

• Explicit time ranges (earliest, latest)

Tasks:

1. Convert _time to readable format using strftime(_time, "%Y-%m-%d %H:%M:%S").

2. Use strptime() to convert string "2024-04-01" to epoch time.

3. Use relative_time(now(), "-1h@h") to get the start of the previous hour.

4. Build a search that only looks at events from the last 3 hours with earliest=-3h latest=now.

5. Reflect: how can time-based filtering improve performance and reduce irrelevant results?

Pomodoros: 4 (2 syntax practice + 2 search construction and timing)

Day 19 – Using Subsearches

Topics to Study:

• Inline subsearches

• Subsearch structure: [ search ... ]

• join, append, subsearch limits (results, runtime, memory)

• Alternatives: lookup, tstats, inputlookup

Tasks:

1. Create an inline subsearch to retrieve the most active user from login logs and feed that into a user=[ search ... ] outer query.

2. Create a search using join user [ search ... ] to enrich location data from a second index.

3. Check performance impact and identify when a subsearch is too large.

4. Replace a join subsearch with a lookup and measure improvement.

5. Reflect: what are the 3 main risks of using subsearches improperly?

Pomodoros: 5 (2 syntax learning + 3 query building and performance testing)

Day 20 – Review and Challenge Day (Advanced Correlation)

Topics to Review:

• Days 15–19 (field transformation, mv fields, transactions, time, subsearch)

Tasks:

1. Complete a 15-question quiz on multivalue handling, transaction, and time functions.

2. Create a complex query that filters events from the past 24 hours where users had multiple roles and failed login attempts, grouped as sessions.

3. Build a table with session start, end, duration, and error counts.

4. Optimize the query by replacing slow parts (transaction, subsearch) with faster constructs.

5. Reflect: what did you optimize, and how much faster did the query become?

Pomodoros: 6 (1 quiz + 3 task building + 2 optimization and feedback)

Day 21 – Optional Rest or Capstone Mini-Project

Optional Task:
Build a "User Behavior Dashboard" with the following features:

• A table panel showing multivalued roles per user

• A graph showing session duration over time (with transaction or stats)

• A time picker to filter events from the last 7 days

• At least one subsearch or macro used inside the query logic

Reflect on how much you've learned in three weeks by revisiting the Week 1 dashboard — can you improve it now?

Pomodoros: 3 (if working on dashboard project)

WEEK 4: Dashboards, Drilldowns, Advanced Visuals, and Final Review

Weekly Objective:
By the end of this week, you should be able to create polished, interactive dashboards using forms and tokens, optimize them for performance, apply advanced drilldowns, and use custom visualizations. You’ll also consolidate everything you’ve learned, take a full practice exam, and identify final improvement areas.

Time Commitment:
2.5–3 hours per day (5–6 Pomodoros/day)

Day 22 – Creating a Dashboard Prototype

Topics to Study:

• What is a prototype dashboard

• Panels (chart, table, single value)

• Base search and post-processing

Tasks:

1. Open Dashboard Studio and create a new prototype with at least 3 panels.

2. Design a layout with logical grouping and labels: e.g., one section for user activity, one for traffic trends.

3. Use mock data from inputlookup if live data isn't available.

4. Define a base search that pulls data for multiple panels, and apply post-processing (| stats, | timechart) in each panel separately.

5. Reflect: how does a base search reduce dashboard load and improve consistency?

Pomodoros: 5 (2 UI exploration + 3 dashboard building)

Day 23 – Using Forms and Dynamic Inputs

Topics to Study:

• Form inputs: text box, drop-down, checkbox, time picker

• Token usage: $token_name$, dynamic filtering

• Dependent inputs

Tasks:

1. Add a drop-down input to control status values dynamically ($status$).

2. Add a time picker that controls earliest and latest.

3. Add a dependent drop-down (e.g., select region, then populate host based on region).

4. Use the token values in at least two panel queries and one panel title (Status: $status$).

5. Reflect: what’s the benefit of letting users control tokens in real-time?

Pomodoros: 5 (2 study + 3 build and test with tokens)

Day 24 – Improving Dashboard Performance

Topics to Study:

• Scheduled reports

• Real-time vs historical searches

• Shared base search strategy

• Job Inspector for dashboards

Tasks:

1. Convert one dashboard panel to use a scheduled report.

2. Replace multiple identical searches with one base search reused via base="...".

3. Eliminate real-time panels unless absolutely necessary; replace with auto-refresh + latest time range.

4. Use Job Inspector to measure load time for each dashboard panel before and after optimization.

5. Reflect: how much time did optimization save? Where can you reduce load further?

Pomodoros: 5 (2 optimization planning + 3 implementation and testing)

Day 25 – Customizing Dashboards

Topics to Study:

• Dashboard Studio layout tools

• HTML/CSS in Classic Dashboards

• Branding, formatting, section headers

Tasks:

1. Apply a consistent color theme using Dashboard Studio styling or HTML/CSS.

2. Add a custom logo, header, or footer section using a text or HTML panel.

3. Reposition panels to create logical zones (KPI overview, detailed view, charts).

4. Use icons or conditional formatting (e.g., red for high error counts).

5. Reflect: how does good UX and styling improve readability and usability?

Pomodoros: 4 (2 styling + 2 layout organization)

Day 26 – Drilldowns and Advanced Visualizations

Topics to Study:

• Drilldown syntax in Classic XML and Studio

• Click-to-filter behavior using tokens

• Custom visualizations (gauge, Sankey, Treemap)

Tasks:

1. Add a drilldown to a table: when a row is clicked, update a second panel with related detail (e.g., click user → show login events).

2. Create a bar chart that drills down into another dashboard, passing tokens via URL (e.g., /app/search/details?form.user=$row.user$).

3. Install a custom visualization from Splunkbase (e.g., Treemap) and use it in one panel.

4. Add a hover tooltip or custom label to an existing visualization.

5. Reflect: what type of drilldown behavior is most useful for your typical use case?

Pomodoros: 5 (2 study + 3 implementation)

Day 27 – Full Mock Exam + Feedback

Task:

1. Set a timer and simulate a 65-minute SPLK-1004 exam using a practice test (choose 50 questions).

2. After completion, grade your results and review every wrong answer.

3. For each incorrect item, write down:

   • The concept tested

   • The reason for your mistake

   • The correct SPL or approach

4. Track your final score and goal: aim for 85% or higher.

5. Reflect: which areas were weakest, and which were strongest?

Pomodoros: 6 (3 exam + 3 analysis and notes)

Day 28 – Final Review, Concept Map, Teaching Output

Tasks:

1. Create a concept map or mind map that shows how all 22 knowledge points connect (e.g., "Dashboards → Drilldown → Tokens → Searches").

2. Use flashcards (physical or app) to quiz yourself on key SPL syntax and behavior.

3. Teach 3 concepts aloud as if explaining to a peer:

   • How transaction differs from stats

   • How tstats improves search speed

   • How a dashboard drilldown works

4. Identify your 3 weakest topics and write a 3-line summary of each.

5. Reflect: you’ve now covered 4 weeks of material. What would you tell yourself if you were just starting?

Pomodoros: 6 (2 concept output + 2 review + 2 oral teaching)

---