Data Onboarding Introduction Flashcards

1
Q

What are Regex uses in Splunk?

A

a) parsing data and line breaking
b) extracting data at search time or index time
c) to extract fields within your SPL (Search Processing Language)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Why is parsing data correctly (using regex) very important?

A

Because data that is parsed incorrectly could have the details of a single event cut off too early or it could see two separate events as just one single event.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

In which conf file we configure the way that splunk parses data?

A

props.conf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is line breaking?

A

It tells splunk where the old event ends and the new one begins. These are the common characters used:

\r - Carriage return character

\n - New line character

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the line breaking regex?

A

([\r\n]+)

It is used together as the default line breaking regex for parsing data in Splunk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Tell us about index vs search time extraction

A

Index time extraction simply means that the indexers are told to extract field/value pairs from the data as they are commiting it to disk

Search time extraction means that the search head will perform extractions as it is bringing back your data from indexer. When it presents the data to you it shows you these field value pairs.

Search time extraction is a better option.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does onboarding mean in splunk?

A

Onboaarding it simply means to bring your data into Splunk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are some types of environments?

A

a) PROD - (production_ where all changes are finalized and go live.
b) DEV - (development) - most commonly used for testing and development. Sometimes isolated from prod, sometimes connected. This environment is unpublished and exact copy of PROD
c) UAT - Usar Acceptance Test - once the testing phase is over, the user in which will be using the application most accept your work at their end
d) Sandbox - testing - isolated environment where you can safely write code and run tests without any communication with production environment

DEV —-> UAT(OPTIONAL) —> PROD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are some different ways to onboard data?

A

a) Standard Onboarding - via UF
b) Syslog
c) HEC (HTTPS event collector)
d) API collection
e) Scripted inputs
f) One Shot upload

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are te primary .conf files for onboarding?

A

inputs. conf
outputs. conf
authentication. conf
authorize. conf
serverclass. conf
indexes. conf
props. conf
transforms. conf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are “tools” in work environment

A

different applications, devices, etc that companies use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Give quick overview of data onboarding

A
  • The first thing we gonna do is get the requirements ffrom the customer/data owner about the data (where we can find logs, where to send them, from which servers will we gather logs, etc etc, source type)
  • Decide whether you gonna use custom or premade TA
  • Decide which method of onboarding you will use to bring data in

Decide where data will reside in Splunk, and what index you will use

  • You should recieve sample log from data owner for purpose of testing, and use props.conf to test it
  • Brind the data throught proper .conf files
  • Decide who gets access to the data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Give quick overview of data onboarding

A
  • The first thing we gonna do is get the requirements ffrom the customer/data owner about the data (where we can find logs, where to send them, from which servers will we gather logs, etc etc, source type)
  • Decide whether you gonna use custom or premade TA
  • Decide which method of onboarding you will use to bring data in

Decide where data will reside in Splunk, and what index you will use

  • You should recieve sample log from data owner for purpose of testing, and use props.conf to test it
  • Brind the data throught proper .conf files
  • Decide who gets access to the data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly