Splunk Interview Questions
-
- 1. What is the use of License Master in Splunk?
License Master is the used for control how much data you can index in a day. License master has a clock which tracks the data indexed by any Splunk Enterprise Infrastructure. License master is also used to block the users from accessing the search data in 24 hours once the license slave is disconnected from the license master.
- 2. What is the use of DB Connect in Splunk?
DB Connect in Splunk is plugin to access generic SQL databases and integrate various information and data available in those databases with Splunk queries and reports.
- 3. What are important components in Splunk Architecture?
Following are the core components in Splunk Architecture.
- Search Head Interface it is a graphical user interface (GUI) which enables to search using various search queries.
- Indexer it is used by the Splunk tool to index the data available in the machine.
- Forwarder this component in Splunk architecture forwards the logs to the indexer.
- Server (Deployment) with the help of this component, all the Splunk components is managed in a distributed environment.
- 4. How Splunk helps the enterprise?
In the midst of various tools available for managing general data, there is a need for an effective tool to manage the machine data. Splunk is more like a Google for your machine data. With the help of this engine the machine data in the system can be searched, visualized, monitored and reported easily. The tool also provides real-time insights on the machine data using representations such as charts, reports and alerts.
- 5. How to locate the place where default Splunk configuration is stored.
The below command can be used to access the default Splunk configuration.
$splunkhome/etc/system/default
- 6. How to enable and disable Splunk to boot-start using commands?
The command to enable Splunk to boot-start is:
$SPLUNK_HOME/bin/Splunk
The command to disable Splunk to boot-start is:
$SPLUNK_HOME/bin/Splunk
- 7. What is the use of summary index?
Summary indexes are used in Splunk Enterprise to boost the reporting efficiency. It enables the users to generate reports after processing huge volumes of machine data.
- 8. What are the different types of Summary Index?
There are two types of summary indexes. They are,
- Default Summary Index used by Splunk Enterprise by default where no other summary index are specified.
- Additional Summary Index These are summary indexes defined to replace the default summary index to enable running varieties of reports.
- 9. What are the different working phases of Splunk Enterprise?
There are three main phases of works for Splunk. They are,
Data Gathering This is the first phase and during this phase, the tool collects the data required to solve the query from the sources specified with the query.
Process the Results It then converts the received data into results expected for the respective query.
Displays the Information In this last phase, the result obtained by the previous phase is displayed to the user. The display can be represented with the help of the chart, report or a graph.
- 10. What are types of alerts in Splunk?
There are three types of alerts in Splunk. They are,
Pre-result Alerts This alert runs in real-time and one of the commonly used alerts. They are triggered whenever the Splunk enterprise returns the results for a specified query.
Scheduled Alerts This also a commonly used alert type that runs at a regular schedule specified by the user.
Rolling-Window Alerts This type of alert is the combination of Pre-result Alerts Scheduled Alerts. It analyzes the real-time events inside the rolling window using mapping techniques and depending on the conditions; the alert is triggered in real-time or scheduled time.
- 11. What do you mean by the term "Splunk"? Why is it being used for analyzing the system information?
The stage of Splunk enables you to get visibility into machine information produced from various networks, servers, gadgets or devices, and hardware equipment. It can give bits of knowledge into the application administration, threat perceivability, compliance, security, and etc. so that the same can be utilized to analyze the machine data.
- 12. Describe the working mechanism of Splunk.
The information is gathered from the forwarder from the source and sent to the indexer. The information is put away locally on a host machine or cloud. Then, the data stored in the indexer the search head searches, visualizes, analyzes and performs various other functions.
- 13. What are parts of Splunk/Splunk engineering?
The following are parts of Splunk:
Search head - gives GUI to seeking
Indexer - records machine information
Forwarder - Forwards logs to Indexer
Deployment server - Mange's Splunk parts in the circulated condition
- 14. Explain the procedure to troubleshoot the Splunk performance issues?
There are three different ways of troubleshooting:
Check for the errors in the splunkd.log
Check for the server performance issues
Install Splunk on Splunk application and check for errors and the warnings in the dashboard
- 15. How would you reset the Splunk Admin Password?
To reset the administrator secret password, sign into the server on which Splunk is introduced and rename the password file and then restart the Splunk. After the following steps, you can sign in utilizing the default username as: administrator/admin with a password as: changeme
- 16. Clarify the Data Models and Pivot.
For making an organized progressive model of your information Data Models are utilized. When you need to make utilization of that data without utilizing complex pursuit questions or you have a lot of unstructured information, you can utilize the Data Models. While pivot , you have the adaptability to make the front views of your results and then further pick and select the appropriate filters for getting the better view of results.
- 17. Which command is used to the "filtering results" category?
It is a bit complicated to search and filters the system data. But the commands which help in filtering the same are"search", "where". "Sort" and "rex"
- 18. What is the latest version of Splunk which is in use these days?
The latest version of is Splunk 6.3.
- 19. Explain the different types of Splunk licenses?
The types of licenses are as follows:
- Enterprise license
- free license
- Forwarder license
- Beta license
- Licenses for search heads (for distributed search)
- Licenses for cluster members (for index replication)
- Enterprise license
- 20. What are the commands which are used in the reporting results category?
Top - Finds most continuous tuple of estimations of all fields in the field list alongside the tally and rate.
Rare - Finds least frequent tuple of estimations of all fields in the field list.
stats - Calculates the aggregates statistics over a dataset
Chart - Creates tabular data output suitable for the charting.
Timechart - Creates a time series chart with the corresponding table of statistics.
- 21. List a few of the major competitors of the Splunk?
logstash, Loggly, Loglogic, sumo logic etc.
- 22. Explain about the Splunk licenses specify what?
It specifies that how much data one can index per calendar day.
- 23. How does Splunk decide multi-day, from the licensing viewpoint?
Midnight to midnight on the clock of the license master.
- 24. How are forwarder licenses obtained?
They are incorporated with Splunk, no compelling reason to buy independently
- 25. What is the command used for restarting only the Splunk webserver?
Splunk begin splunkweb
- 26. What is the command used for restarting only the Splunk daemon?
Splunk begin splunkd
- 27. What is the command used for checking the running Splunk processes on UNIX/Linux?
ps aux | grep Splunk
- 28. What is Command to empower Splunk to boot start?
$SPLUNK_HOME/bin/Splunkenable boot-start
- 29. How to disable the Splunk boot start?
$SPLUNK_HOME/bin/Splunkdisable boot-start
- 30. What is sourcetype in Splunk?
Source type is Splunk method for distinguishing information
- 31. What is the distinction between Search time and Index time field extractions?
Search time field extraction alludes to the fields separated while performing searches. And the fields extricated when the information goes to the indexer are alluded to as Index time field extraction.
- 32. Describe the function of Alert Manager.
Alert manager empowers you to see the connection to have a look at the search results. It shows the list of the most recently fired alerts.
- 33. Explain the distinction between searches head pooling and search head clustering.
Search head pooling interfaces server and shares the load, configuration and the clients or user's data. Whereas search head clustering is a piece of Splunk enterprise search.
- 34. What does it mean by Splunk indexer and what are the stages of Splunk indexing?
It is the Splunk component which creates and manages the indexes. The stages or functions of an indexer are as Indexing incoming data and searching the indexed data.
- 35. What are the types of Splunk forwarder?
There are two types of Splunk forwarder such as Universal forwarder (UF) and Heavyweight forwarder (HWF)
- 36. List a few of the essential configuration files in the Splunk.
- props.conf
- indexes.conf
- inputs.conf
- transforms.conf
- server.conf
- props.conf
- 37. What does it mean by Splunk app?
Splunk app the app which includes the container or the directory of configurations, searches, dashboards and etc. in the Splunk
- 38. What does it mean by MapReduce algorithm?
It's an algorithm utilized for batch-based large-scale parallelization. It is further inspired by the functional programming's like map () and reduce () functions.
- 39. Explain the procedure of Splunk for avoiding the duplicate indexing of logs.
At indexer, Splunk monitors the indexed events in a directory called fish buckets.
- 40. How to extract fields in Splunk?
There are two ways to extract the fields such as by using the regular expression in the props.conf configuration file and other by extracting fields from events lists, sidebars or from the setting menu via UL.
- 41. List the features which are not available in the spunk free.
Splunk free lacks the following features:
- authentication and scheduled searches or alerting
- distributed search
- forwarding in TCP or HTTP
- deployment management
- authentication and scheduled searches or alerting
- 42. Explain the structure in the case when license master is unreachable.
In the event of such scenario, a user cannot be able to search data in the salve till the same can reaches the license master again.
- 43. What do you understand by the term “summary index†in the Splunk?
It is the default summary index and in the event if you plan to run a variety of summary index reports that one needs to create the additional summary indexes.
- 44. What do you mean by Splunk DB connect?
It is a generic SQL database module for Splunk that enables you to effortlessly coordinate database data with Splunk inquiries and reports.
- 45. How to disable the Splunk launch message?
Set valueOFFENSIVE=Less in splunk_launch.conf
- 46. What is the procedure to clear the Splunk search history?
To clear the search history, delete the below file on the Splunk server as$splunk_home/var/log/splunk/searches.log.
- 47. Differentiate in between the Splunk App And Splunk Add-On?
Fundamentally both contains preconfigured design and reports and so on however, Splunk add-on doesn't have any visual application and whereas Splunk applications have preconfigured visual application.
- 48. What do you imply by .conf Files Precedence in the Splunk?
File precedence is as per the following:
- System local directory: highest priority
- App local directories
- App default directories
- System default directory: lowest priority
- System local directory: highest priority
- 49. What do you mean by the Dispatch Directory?
$SPLUNK_HOME/var/run/Splunk/dispatch contains an index for each inquiry that is running or has finished.
- 50. How to add folder access logs from a Windows Machine to Splunk.
The steps to add a folder access logs to the Splunk are:
- Empower Object Access Audit through group policy on the windows machine on which folder is found. Empower auditing on a particular folder for which you need to screen or monitor logs
- Introduce Splunk all inclusive forwarder on the windows machine
- Configure the universal forwarder to send security logs to Splunk indexer.
- Empower Object Access Audit through group policy on the windows machine on which folder is found. Empower auditing on a particular folder for which you need to screen or monitor logs
- 51. How Would You Handle/investigate Splunk License Violation Warning Error?
It implies that the Splunk has indexed more information than the purchased acquired quota. Then we need to distinguish which list/source type has gotten more information as of late than an expected day by day information volume. We can keep an eye on Splunk permit ace pool shrewd accessible amount and recognize the pool for which infringement is occurring. Once we know the pool for which we are getting more information then we need to recognize top source type for which we are accepting more information than expected data. Once source type is distinguished then we need to discover source machine which is sending colossal number of logs and root cause for the same and troubleshoot accordingly.
- 52. List the number of categories of the SPL commands.
The SPL commands are divided into main five categories as Sorting Results, Filtering Results, Grouping Results, Filtering, Modifying and Adding Fields and Reporting Results.
- 53. List the common port numbers on which the Splunk service runs by default.
Hence the common ports numbers are:
- Splunk Management Port with a port number 8089
- Splunk Index Replication Port with a port number 8080
- KV store with a port number 8191
- Splunk Web Port with a port number 8000
- Splunk Indexing Port with a port number 9997
- Splunk network port with a port number 514
- Splunk Management Port with a port number 8089
- 54. What do you mean by the term Splunk buckets and explain its lifecycle?
A directory which contains the indexed data is termed as the Splunk bucket. The bucket lifecycle includes the stages as hot, Warm, Cold, Frozen, and Thawed.
- 55. SOS stands for.
SOS stands for the Splunk on Splunk. It is a Splunk app which provides a graphical view of the Splunk environment performance and its issues.
- 56. List the lookup command.
- It adds fields based while identifying the value in the event, referencing a lookup table and while adding up the fields in the matching rows in the lookup table of the event.
- 57. List the input lookup command.
It returns the whole lookup table as the search results.
- 58. List the output lookup command.
It outputs the current search results to a lookup table on the disk.
- 59. What do you mean by eval command?
It assesses an articulation and dispatches the subsequent incentive into a destination field. In the case where the destination field matches with an effectively existing field name, the existing field is overwritten with the eval articulation. This command evaluates the Boolean, numerical and string articulations.
Utilizing eval command:
- Converting Values
- Round Values
- Perform Calculations
- User conditional statements
- Configuration/format Values
- Converting Values
- 60. Explain the use of sort command?
It sorts the search results by the use of specified fields.
Syntaxused for the same is:
Sort[<count>] <sort-by-clause>... [desc]
Interested about Splunk?
Get in touch with training experts Get Free QuotesLeave a commentLatest Jobs in US & Canada