Splunk Interview Questions

License Master is the used for control how much data you can index in a day. License master has a clock which tracks the data indexed by any Splunk Enterprise Infrastructure. License master is also used to block the users from accessing the search data in 24 hours once the license slave is disconnected from the license master.

DB Connect in Splunk is plugin to access generic SQL databases and integrate various information and data available in those databases with Splunk queries and reports.

Following are the core components in Splunk Architecture.

1. Search Head Interface it is a graphical user interface (GUI) which enables to search using various search queries.
2. Indexer it is used by the Splunk tool to index the data available in the machine.
3. Forwarder this component in Splunk architecture forwards the logs to the indexer.
4. Server (Deployment) with the help of this component, all the Splunk components is managed in a distributed environment.

In the midst of various tools available for managing general data, there is a need for an effective tool to manage the machine data. Splunk is more like a Google for your machine data. With the help of this engine the machine data in the system can be searched, visualized, monitored and reported easily. The tool also provides real-time insights on the machine data using representations such as charts, reports and alerts.

The below command can be used to access the default Splunk configuration.

$splunkhome/etc/system/default

The command to enable Splunk to boot-start is:

$SPLUNK_HOME/bin/Splunk

The command to disable Splunk to boot-start is:

$SPLUNK_HOME/bin/Splunk

Summary indexes are used in Splunk Enterprise to boost the reporting efficiency. It enables the users to generate reports after processing huge volumes of machine data.

There are two types of summary indexes. They are,

• Default Summary Index used by Splunk Enterprise by default where no other summary index are specified.
• Additional Summary Index These are summary indexes defined to replace the default summary index to enable running varieties of reports.

There are three main phases of works for Splunk. They are,

Data Gathering This is the first phase and during this phase, the tool collects the data required to solve the query from the sources specified with the query.

Process the Results It then converts the received data into results expected for the respective query.

Displays the Information In this last phase, the result obtained by the previous phase is displayed to the user. The display can be represented with the help of the chart, report or a graph.

There are three types of alerts in Splunk. They are,

Pre-result Alerts This alert runs in real-time and one of the commonly used alerts. They are triggered whenever the Splunk enterprise returns the results for a specified query.

Scheduled Alerts This also a commonly used alert type that runs at a regular schedule specified by the user.

Rolling-Window Alerts This type of alert is the combination of Pre-result Alerts Scheduled Alerts. It analyzes the real-time events inside the rolling window using mapping techniques and depending on the conditions; the alert is triggered in real-time or scheduled time.

The stage of Splunk enables you to get visibility into machine information produced from various networks, servers, gadgets or devices, and hardware equipment. It can give bits of knowledge into the application administration, threat perceivability, compliance, security, and etc. so that the same can be utilized to analyze the machine data. 

The information is gathered from the forwarder from the source and sent to the indexer. The information is put away locally on a host machine or cloud. Then, the data stored in the indexer the search head searches, visualizes, analyzes and performs various other functions.

The following are parts of Splunk:

Search head - gives GUI to seeking

Indexer - records machine information

Forwarder - Forwards logs to Indexer

Deployment server - Mange's Splunk parts in the circulated condition 

There are three different ways of troubleshooting:

Check for the errors in the splunkd.log

Check for the server performance issues

Install Splunk on Splunk application and check for errors and the warnings in the dashboard 

To reset the administrator secret password, sign into the server on which Splunk is introduced and rename the password file and then restart the Splunk. After the following steps, you can sign in utilizing the default username as: administrator/admin with a password as: changeme 

For making an organized progressive model of your information Data Models are utilized. When you need to make utilization of that data without utilizing complex pursuit questions or you have a lot of unstructured information, you can utilize the Data Models. While pivot , you have the adaptability to make the front views of your results and then further pick and select the appropriate filters for getting the better view of results. 

It is a bit complicated to search and filters the system data. But the commands which help in filtering the same are"search", "where". "Sort" and "rex"

The latest version of is Splunk 6.3.

The types of licenses are as follows:

1. Enterprise license
   
2. free license
   
3. Forwarder license
   
4. Beta license
   
5. Licenses for search heads (for distributed search)
   
6. Licenses for cluster members (for index replication)
   

Top - Finds most continuous tuple of estimations of all fields in the field list alongside the tally and rate. 

Rare - Finds least frequent tuple of estimations of all fields in the field list. 

stats - Calculates the aggregates statistics over a dataset 

Chart - Creates tabular data output suitable for the charting. 

Timechart - Creates a time series chart with the corresponding table of statistics.

 logstash, Loggly, Loglogic, sumo logic etc.

It specifies that how much data one can index per calendar day. 

Midnight to midnight on the clock of the license master. 

They are incorporated with Splunk, no compelling reason to buy independently 

Splunk begin splunkweb 

Splunk begin splunkd 

ps aux | grep Splunk 

$SPLUNK_HOME/bin/Splunkenable boot-start

$SPLUNK_HOME/bin/Splunkdisable boot-start

Source type is Splunk method for distinguishing information

Search time field extraction alludes to the fields separated while performing searches. And the fields extricated when the information goes to the indexer are alluded to as Index time field extraction.

Alert manager empowers you to see the connection to have a look at the search results. It shows the list of the most recently fired alerts.

Search head pooling interfaces server and shares the load, configuration and the clients or user's data. Whereas search head clustering is a piece of Splunk enterprise search.

It is the Splunk component which creates and manages the indexes. The stages or functions of an indexer are as Indexing incoming data and searching the indexed data.

There are two types of Splunk forwarder such as Universal forwarder (UF) and Heavyweight forwarder (HWF) 

• props.conf
  
• indexes.conf
  
• inputs.conf
  
• transforms.conf
  
• server.conf
  

Splunk app the app which includes the container or the directory of configurations, searches, dashboards and etc. in the Splunk

It's an algorithm utilized for batch-based large-scale parallelization. It is further inspired by the functional programming's like map () and reduce () functions. 

At indexer, Splunk monitors the indexed events in a directory called fish buckets.

There are two ways to extract the fields such as by using the regular expression in the props.conf configuration file and other by extracting fields from events lists, sidebars or from the setting menu via UL.

Splunk free lacks the following features:

• authentication and scheduled searches or alerting
  
• distributed search
  
• forwarding in TCP or HTTP
  
• deployment management
  

In the event of such scenario, a user cannot be able to search data in the salve till the same can reaches the license master again.

It is the default summary index and in the event if you plan to run a variety of summary index reports that one needs to create the additional summary indexes.

It is a generic SQL database module for Splunk that enables you to effortlessly coordinate database data with Splunk inquiries and reports.

Set valueOFFENSIVE=Less in splunk_launch.conf

To clear the search history, delete the below file on the Splunk server as$splunk_home/var/log/splunk/searches.log.

Fundamentally both contains preconfigured design and reports and so on however, Splunk add-on doesn't have any visual application and whereas Splunk applications have preconfigured visual application. 

File precedence is as per the following:

• System local directory: highest priority
  
• App local directories
  
• App default directories
  
• System default directory: lowest priority
  

$SPLUNK_HOME/var/run/Splunk/dispatch contains an index for each inquiry that is running or has finished.  

The steps to add a folder access logs to the Splunk are:

• Empower Object Access Audit through group policy on the windows machine on which folder is found. Empower auditing on a particular folder for which you need to screen or monitor logs
  
• Introduce Splunk all inclusive forwarder on the windows machine
  
• Configure the universal forwarder to send security logs to Splunk indexer.
  

It implies that the Splunk has indexed more information than the purchased acquired quota. Then we need to distinguish which list/source type has gotten more information as of late than an expected day by day information volume. We can keep an eye on Splunk permit ace pool shrewd accessible amount and recognize the pool for which infringement is occurring. Once we know the pool for which we are getting more information then we need to recognize top source type for which we are accepting more information than expected data. Once source type is distinguished then we need to discover source machine which is sending colossal number of logs and root cause for the same and troubleshoot accordingly.

The SPL commands are divided into main five categories as Sorting Results, Filtering Results, Grouping Results, Filtering, Modifying and Adding Fields and Reporting Results.

Hence the common ports numbers are:

• Splunk Management Port with a port number 8089
  
• Splunk Index Replication Port with a port number 8080
  
• KV store with a port number 8191
  
• Splunk Web Port with a port number 8000
  
• Splunk Indexing Port with a port number 9997
  
• Splunk network port with a port number 514
  

A directory which contains the indexed data is termed as the Splunk bucket. The bucket lifecycle includes the stages as hot, Warm, Cold, Frozen, and Thawed.

SOS stands for the Splunk on Splunk. It is a Splunk app which provides a graphical view of the Splunk environment performance and its issues.

It returns the whole lookup table as the search results.

It outputs the current search results to a lookup table on the disk.

It assesses an articulation and dispatches the subsequent incentive into a destination field. In the case where the destination field matches with an effectively existing field name, the existing field is overwritten with the eval articulation. This command evaluates the Boolean, numerical and string articulations.

Utilizing eval command:

• Converting Values
  
• Round Values
  
• Perform Calculations
  
• User conditional statements
  
• Configuration/format Values
  

It sorts the search results by the use of specified fields.

Syntaxused for the same is:

Sort[<count>] <sort-by-clause>... [desc]