AYAN InfoTech is looking for Splunk Data Administrator to join an exciting project based in Melbourne / Sydney. The role offers you the opportunity to contribute towards an extremely well structured and mature environment, working on sophisticated enhancement projects.
Role: Splunk Data Administrator
Location: Melbourne / Sydney
Mode of Employment: Permanent Position (Open for Contract as well)
Experience: 7+ Years
Role Summary:
We are seeking a mid to senior Splunk Data Administrator to own and continuously improve Splunk data onboarding, normalization, and quality across a complex hybrid Splunk environment (on prem and cloud). The ideal candidate is hands-on with CIM alignment, data source onboarding, field extractions (regex/props/transforms/ingest actions), TA deployment, and end-to-end operational management of Splunk data pipelines.
You will act as the key point of contact for ensuring log sources are onboarded correctly, parsed and normalized consistently, and made usable for security/IT operations, dashboards, correlation searches, and reporting.
Required Skills & Experience:
- 5-10 years experience with Splunk administration and data onboarding (or equivalent depth).
- Strong practical knowledge of: CIM normalization, tags/event types, datamodel alignment
- Field extraction (regex, JSON/KV extraction), and troubleshooting parsing issues
- props.conf / transforms.conf, sourcetypes, timestamps, line-breaking
- TA installation/configuration and deployment patterns across Splunk tiers
- Experience with complex Splunk architectures:
- Indexer clusters, SH/SHC, forwarder management, deployment server
- Hybrid patterns (on-prem + cloud), connectivity, and ingestion strategies
- Comfortable writing and validating SPL for data quality and CIM compliance.
- Strong log source knowledge across common domains:
- Security: EDR, firewall, proxy, IAM/auth, VPN, email security
- Infrastructure: Windows, Linux, network devices, virtualization
- Cloud: AWS/Azure/GCP logging patterns (nice-to-have)
Key Responsibilities:
- Lead onboarding of new log sources end-to-end: requirements gathering, source validation, parsing strategy, TA selection/deployment, CIM alignment, testing, and release.
- Partner with Security/IT teams to translate use-cases into data requirements, ensuring sources deliver the right fidelity, timeliness, and coverage.
- Manage onboarding at scale using best practices for source types, metadata strategy, index & sourcetype governance, and naming conventions.
- Define and enforce data quality standards (field completeness, timestamps, event consistency, parsing accuracy, duplication control).
- Normalize data to Splunk Common Information Model (CIM) with strong understanding of data models (e.g., Authentication, Network Traffic, Endpoint, Change, etc.).
- Ensure fields are aligned to CIM requirements to support Splunk Enterprise Security (ES) and other CIM-based content.
- Validate normalization using SPL and develop reusable onboarding checklists.
- Operate and support Splunk in complex environments:
- On-prem Indexer Cluster, Search Head Cluster, Forwarder tiers
- Splunk Cloud integrations where applicable (e.g., Heavy Forwarder, VPN, PrivateLink, data forwarding patterns)
- Configure and troubleshoot data ingestion pipelines:
- Syslog (UDP/TCP), API-based collection, HEC, file monitors, Windows Event Logs, cloud sources
- Ensure performance and reliability across the pipeline, including indexing throughput, parsing overhead, and search impact.
Contact: 61-(02) 7207 6926 for more details.
Please note we will be able to contact only shortlisted candidates for this role. We thank you in advance for your interest.
