XPT Software Australia Pty Ltd | Contract
Splunk Data Administrator
Melbourne, Australia | Posted on 05/20/2026
* XPT SoftwareAustralia PTY Ltd, incorporated in 2016, is a Software Services company
* XPT works with top clients across Australia in Banking, Insurance, Telecom, Retail, Energy, Mining and Manufacturing domains.
* We have 120+ technocrats in Australia working at our client locations.
* XPT SoftwareAustralia is part of group companies which has global presence across India & Europe.
* We have served 100+ clients globally, fulfilling their onsite-offshore needs.
Job Description
Role Summary
We are seeking a mid to senior SplunkData Administrator to own and continuously improve Splunk data onboarding, normalization, and quality across a complex hybrid Splunk environment (on‐prem and cloud).
The ideal candidate is hands‐on with CIM alignment, data source onboarding, field extractions (regex/props/transforms/ingest actions), TA deployment, and end‐to‐end operational management of Splunk data pipelines.
You will act as the key point of contact for ensuring log sources are onboarded correctly, parsed and normalized consistently, and made usable for security/IT operations, dashboards, correlation searches, and reporting.
Splunk
* Good understanding of Splunk architecture and its components (Search Heads, Indexers, Deployers).
* Experience in managing and troubleshooting Splunk distributed environments (clusters), Splunk upgrade and migration.
* Expertise in Linux systems, specifically RHEL and Amazon Linux.
* Experience with AWS services, including EC2, S3, IAM, VPC, Subnets, Security Groups, and CloudWatch.
DevOps & Automation Tools
* Experience with Jenkins pipelines and CI/CD processes, Ansible for configuration management and automation, Terraform for infrastructure provisioning.
* Ability to write custom Ansible playbooks and Terraform modules for system management and scripting languages like Bash, Python, or Shell for automation tasks.
Certifications (Optional)
* Splunk Certified Admin.
* AWS Certified Solutions Architect – Associate or Professional.
Required Skills & Experience
* 5–10 years experience with Splunk administration and data onboarding (or equivalent depth).
* Strong practical knowledge of:
o Field extraction (regex, JSON/KV extraction), and troubleshooting parsing issues.
o props.conf / transforms.conf, sourcetypes, timestamps, line-breaking.
o TA installation/configuration and deployment patterns across Splunk tiers.
* Experience with complex Splunk architectures:
o Indexer clusters, SH/SHC, forwarder management, deployment server.
o Hybrid patterns (on-prem + cloud), connectivity, and ingestion strategies.
* Comfortable writing and validating SPL for data quality and CIM compliance.
* Cloud: AWS/Azure/GCP logging patterns (nice‐to‐have).
Key Responsibilities
Data Onboarding & Lifecycle Management
* Lead onboarding of new log sources end‐to‐end: requirements gathering, source validation, parsing strategy, TA selection/deployment, CIM alignment, testing, and release.
* Partner with Security/IT teams to translate use‐cases into data requirements, ensuring sources deliver the right fidelity, timeliness, and coverage.
* Manage onboarding at scale using best practices for source types, metadata strategy, index & sourcetype governance, and naming conventions.
* Define and enforce data quality standards (field completeness, timestamps, event consistency, parsing accuracy, duplication control).
* Normalize data to Splunk Common Information Model (CIM) with strong understanding of data models (e.g., Authentication, Network Traffic, Endpoint, Change, etc.).
* Ensure fields are aligned to CIM requirements to support Splunk Enterprise Security (ES) and other CIM‐based content.
* Validate normalization using SPL and develop reusable onboarding checklists.
* Design and implement robust field extractions using:
o regex and structured parsing (KV_MODE, JSON, XML).
o sourcetype / timestamp / line‐breaking configuration.
* Implement enrichment and routing using event breaking, host/source normalization, lookups, and tagging.
* Troubleshoot parsing issues (timestamp drift, multi‐line events, encoding, truncation, duplicate ingestion, broken extractions).
* Install, configure, and maintain Splunk Add‐ons (TAs) and apps across:
o Indexer / Search Head / SHC.
o Deployment Server / Cluster Manager (where applicable).
* Maintain version compatibility and upgrade strategies for:
o Splunk Enterprise / Splunk Cloud.
o Add‐ons, apps, and content packs.
* Package and deploy TAs using deployment pipelines and change management controls.
Hybrid Splunk Architecture Operations
* Operate and support Splunk in complex environments:
o On‐prem Indexer Cluster, Search Head Cluster, Forwarder tiers.
o Splunk Cloud integrations where applicable (e.g., Heavy Forwarder, VPN, PrivateLink, data forwarding patterns).
* Configure and troubleshoot data ingestion pipelines:
o Ensure performance and reliability across the pipeline, including indexing throughput, parsing overhead, and search impact.
Monitoring, Troubleshooting & Governance
* Monitor ingestion health and pipeline performance.
* Maintain governance for indexes, sourcetypes, retention, RBAC and data access boundaries (as required).
* Contribute to operational runbooks, SOPs, and documentation; drive continuous improvement in onboarding and normalization standards.
Preferred / Nice‐to‐Have
* Experience with Splunk Enterprise Security (ES) and ES add‐ons / CIM compliance expectations.
* Knowledge of Splunk Ingest Actions / Edge Processor (or modern ingestion tools, where applicable).
* Familiarity with:
o ITSI / Observability (bonus).
o Splunk Core Certified Power User / Admin.
#J-18808-Ljbffr