$140-$160k + super
We're partnering with a large enterprise organisation to find a hands-on Splunk Data Administrator who's ready to take ownership of data onboarding, normalisation, and quality across a complex hybrid Splunk environment.
This is a high-impact role sitting at the intersection of security, infrastructure, and data operations — ideal for someone who thrives on building things right and making data genuinely usable.
What You'll Be Doing
- Leading end-to-end onboarding of log sources — from requirements through to CIM alignment, testing, and release
- Normalising data to Splunk CIM across key data models (Authentication, Network Traffic, Endpoint, Change, and more)
- Designing and implementing field extractions using props.conf / transforms.conf, regex, JSON, KV_MODE, and ingest actions
- Installing, configuring, and maintaining TAs and apps across Heavy Forwarders, Indexers, Search Heads, and Deployment Servers
- Operating across a hybrid architecture — on-prem indexer/SHC clusters combined with Splunk Cloud integrations
- Monitoring ingestion health, troubleshooting pipeline issues, and maintaining governance standards
- Contributing to runbooks, SOPs, and continuous improvement across onboarding and normalisation practices
What You'll Bring
- 5–10 years of hands-on Splunk administration and data onboarding experience
- Strong working knowledge of CIM normalisation, tags/eventtypes, and datamodel alignment
- Solid field extraction skills — regex, JSON/KV, props/transforms, timestamp and line-breaking configuration
- Experience across complex Splunk architectures including indexer clusters, SHC, forwarder tiers, and hybrid patterns
- Confident writing SPL for data quality validation and CIM compliance
- Broad log source knowledge across security (EDR, firewall, IAM, VPN), infrastructure (Windows, Linux, network), and ideally cloud (AWS/Azure/GCP)
Interested? Drop me a message or apply directly – greg.perl@pra.com.au
