An interactive, hands-on Splunk workshop delivered as a Splunk app. Participants follow guided labs through a React UI embedded directly in Splunk — no slides, everything runs inside the platform.
Built for experienced Splunk users: admins, use case developers, and champions who want to go deeper.
- Experienced and ambitious Splunk users
- Use case owners and developers
- Splunk admins
| Chapter | Topics |
|---|---|
| 0 · Setup | Health Check — verify indexes and app/Splunk version at a glance |
| 1 · Settings | GUI options, Search Assistant, Stock Index Search & tstats |
| 2 · Data | Indexes, buckets, data pipeline, distributed architecture, data aging |
| 3 · Search | Search basics, SPL2, command types, Job Inspector, terms/segmentation, tstats, search tips, Splunk MCP Server (optional), quiz |
| 4 · Metrics | Log-to-metrics, mcollect, mcatalog, mstats, weather data reference, stock index metrics lab |
| 5 · XML Dashboards | Base search, drilldown, annotations, colors, post-processing |
| 6 · Dashboard Studio | Tutorial, data sources, interactivity, layout, custom visualizations, canvas viz library, sharing |
| 7 · Mobile | Splunk Mobile overview and demo |
Download the latest release from the Releases page and install as a standard Splunk app.
- Compatible with Splunk 8+
- Works on Splunk Cloud
- Not intended for production systems — no warranty
If you have access to show.splunk.com, the workshop is available on Splunk Show.
The app ships with real historical data used across the labs:
s4c_stock_indices— up to 10 years of daily OHLCV for 9 major indexes (DAX, Dow, EURO STOXX 50, FTSE 100, Hang Seng, Nasdaq, Nikkei, S&P 500, SMI). Ingested byupdate_stock_indices.py(Yahoo chart API, stdlib only;_time= Unix epoch). Joinexchange_citytos4c_meteo_historicondate+city.s4c_meteo_historic— Daily historical weather for the seven indexexchange_cityvalues (2016 → rolling; Paris/CAC removed). Shippedstatic/meteo_historic.csv(lookup namemeteo_historicstill works via a symlink inlookups/) plusupdate_meteo_historic_csv.py(Open-Meteo archive, daily) to keep the calendar in step with new index data. Join ondateandcity=exchange_city.s4c_weather— Real-time OpenWeatherMap data for metrics labs.s4c_tutorial— Web server logs for search and dashboard exercises.
After creating a HEC for Phyphox data, add to the HEC config:
/etc/apps/splunk_httpinput/local/inputs.conf
[http://phyphox]
allowQueryStringAuth = true
Verify index status, event counts, and date ranges. Shows Splunk and app version at a glance.
Production-ready Splunk Canvas 2D API visualizations — cloned, built, and invoked directly with no Splunk experience required. No future development dependency or Cursor required.
Workshop content is collected, consolidated, and adapted from public .conf presentations, blog articles, and Splunk Docs. All information is provided "as is" with no guarantee of completeness, accuracy, or timeliness.
- Originally created by Andreas Greeske and Tomas Baublys in 2020
- Version 2.0 rebuilt by Tomas Baublys on the Splunk UI template by Daniel Federschmidt
- Suggestions and improvements welcome: tbaublys@splunk.com
- Ongoing workshop updates and refinements with Cursor
Canvas Visualizations section powered by splunk-custom-visualizations by Robert Castley — a library of production-ready Canvas 2D API visualizations for Dashboard Studio.
Martin Müller · Clara Merriman · Richard Morgan · and many others linked throughout the app
Dirk Nitschke · Holger Sesterhenn · Henri Mak · Lukas Utz