Q1) What is Splunk?
Ans: Splunk is Google for your machine data. It's a software/Engine which can be used for searching, visualizing, Monitoring, reporting, etc of your enterprise data. Splunk takes valuable machine data and turns it into powerful operational intelligence by providing real-time insight into your data through charts, alerts, reports, etc.
Q2) What are the components of Splunk/Splunk architecture?
Ans: Below are components of Splunk:
Q3) Which is the latest Splunk version in use?
Ans: Splunk 6.3
Q4) What is a Splunk indexer? What are the stages of Splunk indexing?
Ans: The indexer is the Splunk Enterprise component that creates and manages indexes. The primary functions of an indexer are:
Want to acquire industry skills and gain complete knowledge of Splunk? Enroll in Instructor-Led live Splunk Training to become Job Ready! |
Q5) What is a Splunk forwarder and What are the types of Splunk forwarders?
Ans: There are two types of Splunk forwarder as below
universal forwarder(UF) -Splunk agent installed on the non-Splunk system to gather data locally, can’t parse or index data Heavy weight forwarder(HWF) - a full instance of Splunk with advance functionality. - Generally works as a remote collector, intermediate forwarder, and possible data filter because they parse data, they are not recommended for production systems
Q6) What are the most important configuration files of Splunk OR can you tell names of a few important configuration files in Splunk?
Ans: props. conf indexes.conf inputs.conf transforms.conf server.conf
Q7) What are the types of Splunk licenses?
Ans: Enterprise license Free license Forwarder license Beta license Licenses for search heads (for distributed search) Licenses for cluster members (for index replication)
Q8) What is the Splunk app?
Ans: Splunk app is a container/directory of configurations, searches, dashboards, etc. in Splunk
Q9) Where does Splunk's default configuration is stored?
Ans: $Splunkhome/etc/system/default
Q10) What features are not available in Splunk free?
Ans: Splunk free lacks these features: Authentication and scheduled searches/alerting Distributed search Forwarding in TCP/HTTP (to non-Splunk) Deployment management
Q11) What happens if the license master is unreachable?
Ans: The license slave will start a 24-hour timer, after which the search will be blocked on the license slave (though indexing continues). users Will not be able to search data in that slave until it can reach license master again
Q12) What is the summary index in Splunk?
Ans: The Summary index is the default summary index (the index that Splunk Enterprise uses if you do not indicate another one). If you plan to run a variety of summary index reports you may need to create additional summary indexes.
Q13) What is Splunk DB connect?
Ans: Splunk DB Connect is a generic SQL database plugin for Splunk that allows you to easily integrate database information with Splunk queries and reports.
Related Article: List of Splunk Commands |
Q14) Can you write down a general regular expression for extracting ip address from logs?
Ans: There are multiple ways we can extract ip address from logs.Below are few examples. Regular Expression for extracting ip address:
rex field=_raw "(?<ip_address>\d+\.\d+\.\d+\.\d+)" OR rex field=_raw "(?<ip_address>([0-9]{1,3}[\.]){3}[0-9]{1,3})"
Q15) What is difference between stats vs transaction command?
Ans: The transaction command is most useful in two specific cases:
Unique id (from one or more fields) alone is not sufficient to discriminate between two transactions. This is the case
when the identifier is reused, for example web sessions identified by cookie/client IP. In this case, time span or pauses are also used to segment the data into transactions. In other cases when an identifier is reused, say in DHCP logs, a particular message may identify the beginning or end of a transaction. When it is desirable to see the raw text of the events combined rather than analysis on the constituent fields of the events.
In other cases, it's usually better to use stats as the performance is higher, especially in a distributed search environment. Often there is a unique id and stats can be used.
Q16) How to troubleshoot Splunk performance issues?
Ans: Check Splunkd.log for any errors
Check server performance issues i.e. cpu/memory usage,disk i/o etc
Install SOS (Splunk on Splunk) app and check for warning and errors in dashboard
check number of saved searches currently running and their system resources consumption install Firebug, which is a firefox extension. After it's installed and enabled, log into Splunk (using firefox), open firebug's panels, switch to the 'Net' panel (you will have to enable it).The Net panel will show you the HTTP requests and responses along with the time spent in each. This will give you a lot of information quickly over which requests are hanging Splunk for a few seconds, and which are blameless. etc..
Q17) What are buckets? explain Splunk bucket lifecycle?
Ans: Splunk places indexed data in directories, called as "buckets". It is physically a directory containing events of a certain period. A bucket moves through several stages as it ages:
Q18) What is the difference between stats and eventstats commands?
Ans: Stats command generate summary statistics of all existing fields in your search results and save them as values in new fields. Eventstats is similar to the stats command, except that aggregation results are added inline to each event and only if the aggregation is pertinent to that event. eventstats computes the requested statistics like stats, but aggregates them to the original raw data.
Who are the biggest direct competitors to Splunk?
logstash, Loggly, Loglogic,sumo logic etc..
Q19) Splunk licenses specify what ?
Ans: How much data you can index per calendar day
Q20) How does Splunk determine 1 day, from a licensing perspective ?
Ans: Midnight to midnight on the clock of the license master
Checkout: [Splunk Forwarder]
Q21) How are forwarder licenses purchased ?
Ans: They are included with Splunk, no need to purchase separately
Q22) What is command for restarting just the Splunk webserver?
Ans: Splunk start Splunkweb
Q23) What is command for restarting just the Splunk daemon?
Ans: Splunk start Splunkd
Q24) What is command to check for running Splunk processes on unix/Linux ?
Ans: ps aux | grep Splunk
Q25) What is Command to enable Splunk to boot start?
Ans: $Splunk_HOME/bin/Splunk enable boot-start
Q26) How to disable Splunk boot start?
Ans: $Splunk_HOME/bin/Splunk disable boot-start
Q27) What is sourcetype in Splunk?
Ans: Source type is Splunk way of identifying data
Q28) How to reset Splunk admin password?
Ans: To reset your password log in to the server on which Splunk is installed and rename passwd file at the below location and then restart Splunk. After restart you can login using default username: admin password: changeme $Splunk-home\etc\passwd
Q29) How to disable Splunk launch message?
Ans: Set value OFFENSIVE=Less in Splunk_launch.conf
Q30) How to clear Splunk search history?
Ans: Delete following file on Splunk server $Splunk_home/var/log/Splunk/searches.log
Q31) What is btool or how will you troubleshoot Splunk configuration files?
Ans: Splunk btool is a command line tool that helps us to troubleshoot configuration file issues or just see what values are being used by your Splunk Enterprise installation in existing environment
Q32) What is .conf files precedence in Splunk?
Ans: File precedence is as follows:
Q33) What is fishbucket or what is fishbucket index?
Ans: It's a directory or index at default location /opt/Splunk/var/lib/Splunk .It contains seek pointers and CRCs for the files you are indexing, so Splunkd can tell if it has read them already.We can access it through GUI by seraching for “index=_thefishbucket”
Q34) How do i exclude some events from being indexed by Splunk?
Ans: This can be done by defining a regex to match the necessary event(s) and send everything else to nullqueue.Here is a basic example that will drop everything except events that contain the string login In props.conf:
-------------------------------------------------------------------- <code>[source::/var/log/foo]
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-set= setnull,setparsing
</code> ------------------------------------------------------------------------- In transforms.conf
-------------------------------------------------------------------------------------- [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue
[setparsing] REGEX = login DEST_KEY = queue FORMAT = indexQueue ---------------------------------------------------------------------------------------
Q35) How can i tell when Splunk is finished indexing a log file?
Ans: By watching data from Splunk's metrics log in real-time.
index="_internal" source="*metrics.log" group="per_sourcetype_thruput" series="<your_sourcetype_here>" | eval MB=kb/1024 | chart sum(MB)
or to watch everything happening split by sourcetype....
index="_internal" source="*metrics.log" group="per_sourcetype_thruput" | eval MB=kb/1024 | chart sum(MB) avg(eps) over series
And if you're having trouble with a data input and you want a way to troubleshoot it, particularly if your whitelist/blacklist rules aren't working the way you expect.
Q36) How to set the default search time in Splunk 6?
Ans: To do this in Splunk Enterprise 6.0, use ui-prefs.conf. If you set the value in $Splunk_HOME/etc/system/local, all your users should see it as the default setting. For example, if your $Splunk_HOME/etc/system/local/ui-prefs.conf file includes:
The default time range that all users will see in the search app will be today.
The configuration file reference for ui-prefs.conf is here:
http://docs.Splunk.com/Documentation/Splunk/latest/Admin/Ui-prefsconf
Q37) What is the dispatch directory?
Ans: $Splunk_HOME/var/run/Splunk/dispatch contains a directory for each search that is running or has been completed. For example, a directory named 1434308943.358 will contain a CSV file of its search results, a search.log with details about the search execution, and other stuff. Using the defaults (which you can override in limits. conf), these directories will be deleted 10 minutes after the search completes - unless the user saves the search results, in which case the results will be deleted after 7 days.
Q38) What is the difference between search head pooling and search head clustering?
Ans: Both are features provided by Splunk for high availability of Splunk search head in case any one search head goes down. Search head cluster is newly introduced and search head pooling will be removed in next upcoming versions. The search head cluster is managed by captain and captain controls its slaves. Search head cluster is more reliable and efficient than search head pooling.
Q39) If I want add/onboard folder access logs from a windows machine to Splunk how can I add same?
Ans: Below are steps to add folder access logs to Splunk
Q40) How would you handle/troubleshoot the Splunk license violation warning error?
Ans: A license violation warning means Splunk has indexed more data than our purchased license quota. We have to identify which index/source type has received more data recently than the usual daily data volume. We can check on the Splunk license master pool-wise available quota and identify the pool for which violation is occurring. Once we know the collection for which we are receiving more data then we have to identify the top source type for which we are receiving more data than usual data. Once the source type is identified then we have to find out the source machine which is sending a considerable number of logs and the root cause for the same and troubleshoot accordingly.
Q41) What is the MapReduce algorithm?
Ans: Mapreduce algorithm is the secret behind Splunk's fast data searching speed. It's an algorithm typically used for batch-based large-scale parallelization. It's inspired by functional programming's map() and reduce () functions.
Q42) How Splunk avoids duplicate indexing of logs?
Ans: At indexer, Splunk keeps track of indexed events in a directory called fish buckets (default location /opt/Splunk/var/lib/Splunk). It contains seek pointers and CRCs for the files you are indexing, so Splunkd can tell if it has read them already.
Q43) What is the difference between Splunk SDK and Splunk framework?
Ans: Splunk SDKs are designed to allow you to develop applications from the ground up and not require Splunk Web or any components from the Splunk App Framework. These are separately licensed to you from the Splunk Software and do not alter the Splunk Software. Splunk App Framework resides within Splunk’s web server and permits you to customize the Splunk Web UI that comes with the product and develop Splunk apps using the Splunk web server. It is an important part of the features and functionalities of Splunk Software, which does not license users to modify anything in the Splunk Software.
Q44) For what purpose input lookup and output look are used in Splunk search?
Ans: input lookup command returns the whole lookup table as search results. For example …| input lookup lookuptabllename returns a search result for every row in the table lookup which has two field values: • host • machine_type.
Outputlookup outputs the current search results to a lookup table on the disk. For example …| output lookup lookup.csv saves all the results into lookup.csv.
You liked the article?
Like: 0
Vote for difficulty
Current difficulty (Avg): Medium
TekSlate is the best online training provider in delivering world-class IT skills to individuals and corporates from all parts of the globe. We are proven experts in accumulating every need of an IT skills upgrade aspirant and have delivered excellent services. We aim to bring you all the essentials to learn and master new technologies in the market with our articles, blogs, and videos. Build your career success with us, enhancing most in-demand skills in the market.